OSS Password Pusher Security Notice
OSS Security Fix in v2.4.2
We've had a community security report that anonymous users can bypass authentication with a specific API call combo to upload files anonymously.
This affects open source Password Pusher only.
Summary
Anonymous users can craft a specific API push creation call to bypass auth and attach files to pushes
Affects both API v1 & v2
This only applies if you have
PWP__ALLOW_ANONYMOUS=true(the default setting)
This was fixed the same day as the report (yesterday).
Before we publish the Github Security Advisory & CVE, I wanted to notify internal channels first.
If you are running OSS Password Pusher please update to at least v2.4.2.
If you are still running v1.x.x of OSS Password Pusher, we also released LTS v1.69.4 with the fix.
In other news
APIv2 has been added to OSS
Recipient payloads now auto re-blur after 20 seconds to defend against over the shoulder attacks and unlocked screens
The Docker
stabletag currently points tov1.69.4. We will be soon moving this to thev2tags.
Update to latest or v2.4.3 to get the security fix and these latest features.
Thanks for the attention!
Peter Giacomo Lombardo
Stay Connected
- 🌐 pwpush.com
- 📚 Docs
- 💻 Open source on GitHub • Containers on Docker Hub
- 🗞️ Newsletter Archives
- 🧠 Follow Password Pusher on X and Reddit
- 🏢 Built by Apnotic
Sponsor Offer
Support Password Pusher and get $200 in DigitalOcean credits with this link.
