CVE-2022-39281 – fat_free_crm

Package

Manager: gem
Name: fat_free_crm
Vulnerable Version: >=0 <0.20.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0265 pctl0.85203

Details

Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint ### Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or apply the patch immediately. ### Releases Fixed versions: 0.20.1 and above ### Patches If you are unable to upgrade immediately, you should apply the following patch. ``` diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb index d3d5c32c..7cdb24d6 100644 --- a/app/models/polymorphic/task.rb +++ b/app/models/polymorphic/task.rb @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base #---------------------------------------------------------------------------- def self.bucket_empty?(bucket, user, view = "pending") return false if bucket.blank? || !ALLOWED_VIEWS.include?(view) + return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s) if view == "assigned" assigned_by(user).send(bucket).pending.count ``` ### Credits Thanks to @p- for reporting this and working with us to responsibly disclose this vulnerability. ### Further information If you have any questions or comments about this advisory, please Open an issue in [GitHub Issue Tracker](https://github.com/fatfreecrm/fat_free_crm/issues)

Metadata

Created: 2022-10-07T21:19:01Z
Modified: 2022-10-07T21:19:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-p75c-5x3h-cxcg/GHSA-p75c-5x3h-cxcg.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-p75c-5x3h-cxcg
Finding: F184
Auto approve: 1