CVE-2024-52796: 
Ruby vulnerability analysis and mitigation

Password Pusher, an open source application for communicating sensitive information over the web, contains a vulnerability (CVE-2024-52796) in versions prior to v1.49.0. The vulnerability was discovered and reported by Positive Technologies, allowing attackers to bypass the application's rate limiter through forged proxy headers (GitHub Advisory).

The vulnerability stems from the application's handling of proxy headers, specifically the X-Forwarded-* headers. In affected versions, the rate limiter implementation could be circumvented by forging these proxy headers, as the application did not properly validate their authenticity. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability enables attackers to bypass rate limiting controls, potentially leading to two main impacts: 1) The ability to send unlimited traffic to the site, potentially causing a denial of service condition, and 2) Enhanced capability to execute brute force attacks due to the circumvention of rate limiting protections (GitHub Advisory).

The vulnerability has been fixed in Password Pusher version 1.49.0, which implements a security control to only authorize proxies on local IPs by default. For organizations using remote proxies, specific configuration is required to authorize the IP addresses of these proxies. As a workaround for users unable to upgrade immediately, it is recommended to add rules to the proxy and/or firewall to block external proxy headers (X-Forwarded-*) from clients (GitHub Advisory, PWPush Docs).