CVE-2022-39281
Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint
描述
### Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or apply the patch immediately. ### Releases Fixed versions: 0.20.1 and above ### Patches If you are unable to upgrade immediately, you should apply the following patch. ``` diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb index d3d5c32c..7cdb24d6 100644 --- a/app/models/polymorphic/task.rb +++ b/app/models/polymorphic/task.rb @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base #---------------------------------------------------------------------------- def self.bucket_empty?(bucket, user, view = "pending") return false if bucket.blank? || !ALLOWED_VIEWS.include?(view) + return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s) if view == "assigned" assigned_by(user).send(bucket).pending.count ``` ### Credits Thanks to @p- for reporting this and working with us to responsibly disclose this vulnerability. ### Further information If you have any questions or comments about this advisory, please Open an issue in [GitHub Issue Tracker](https://github.com/fatfreecrm/fat_free_crm/issues)
如何修補 CVE-2022-39281
要修補 CVE-2022-39281,請將受影響套件升級到下列已修補版本。
- —升級至 0.20.1 或更新版本
CVE-2022-39281 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.20.1