Headline
CVE-2022-39281: Release v0.20.1 · fatfreecrm/fat_free_crm
fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be available in release 0.20.1. Users are advised to upgrade or to manually apply patch c85a254. There are no known workarounds for this issue.
Addresses CVE-2022-39281 - Remote Denial of Service via Tasks endpoint
See GHSA-p75c-5x3h-cxcg for more details
Related news
### Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or apply the patch immediately. ### Releases Fixed versions: 0.20.1 and above ### Patches If you are unable to upgrade immediately, you should apply the following patch. ``` diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb index d3d5c32c..7cdb24d6 100644 --- a/app/models/polymorphic/task.rb +++ b/app/models/polymorphic/task.rb @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base #---------------------------------------------------------------------------- def self.bucket_empty?(bucket, user, view = "pending") return false if bucket.blank? || !ALLOWED_VIEWS.include?(view) + return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s) ...