Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35925: Merge pull request #2230 from bookwyrm-social/nginx-rate-limit · bookwyrm-social/bookwyrm@7bbe42f

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their nginx.conf file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

CVE
#web#nginx#auth

Permalink

Browse files

Merge pull request #2230 from bookwyrm-social/nginx-rate-limit

Adds rate limiting to some views in nginx

  • Loading branch information

2 parents ed20587 + e1e6a2d commit 7bbe42fb30a79a26115524d18b697d895563c92f

Showing 3 changed files with 19 additions and 0 deletions.

    • development
    • production
    • server_config

@@ -7,6 +7,15 @@ upstream web {

server {

listen 80;

location ~ ^/(login|password-reset|resend-link) {

limit_req zone=loginlimit;

proxy_pass http://web;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $host;

proxy_redirect off;

}

location / {

proxy_pass http://web;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

@@ -41,6 +41,15 @@ server {

# root /var/www/certbot;

# }

# location ~ ^/(login|password-reset|resend-link) {

# limit_req zone=loginlimit;

# proxy_pass http://web;

# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# proxy_set_header Host $host;

# proxy_redirect off;

# }

# location / {

# proxy_pass http://web;

# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

@@ -1 +1,2 @@

client_max_body_size 10m;

limit_req_zone $binary_remote_addr zone=loginlimit:10m rate=1r/s;

1 comment on commit 7bbe42f

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mouse-reeve maintainer pls confirm are you happy to assign a CVE for this, then only hunter.dev admin can move further

Please sign in to comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907