CVE-2022-39281

Description

### Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or apply the patch immediately. ### Releases Fixed versions: 0.20.1 and above ### Patches If you are unable to upgrade immediately, you should apply the following patch. ``` diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb index d3d5c32c..7cdb24d6 100644 --- a/app/models/polymorphic/task.rb +++ b/app/models/polymorphic/task.rb @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base #---------------------------------------------------------------------------- def self.bucket_empty?(bucket, user, view = "pending") return false if bucket.blank? || !ALLOWED_VIEWS.include?(view) + return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s) if view == "assigned" assigned_by(user).send(bucket).pending.count ``` ### Credits Thanks to @p- for reporting this and working with us to responsibly disclose this vulnerability. ### Further information If you have any questions or comments about this advisory, please Open an issue in [GitHub Issue Tracker](https://github.com/fatfreecrm/fat_free_crm/issues)

Affected packages (1)

• RubyGems/fat_free_crmfrom 0, < 0.20.1

CVSS scores

References (6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39281
• PATCHhttps://github.com/fatfreecrm/fat_free_crm
• WEBhttps://github.com/fatfreecrm/fat_free_crm/commit/c85a2546348c2692d32f952c753f7f0b43d1ca71
• WEBhttps://github.com/fatfreecrm/fat_free_crm/releases/tag/v0.20.1
• WEBhttps://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-p75c-5x3h-cxcg
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2022-39281.yml