CVE-2022-39281

2022-10-0801:15:08

CWE-20

[email protected]

web.nvd.nist.gov

fat_free_crm

0.20.1

dos vulnerability

patch

ruby on rails

crm

nvd

cve-2022-39281

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

53.5%

JSON

fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be available in release 0.20.1. Users are advised to upgrade or to manually apply patch c85a254. There are no known workarounds for this issue.

Affected configurations

Vulners

NVD

Node

fatfreecrmfat_free_crmRange<0.20.1

VendorProductVersionCPE
fatfreecrmfat_free_crm*cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fatfreecrm	fat_free_crm	*	cpe:2.3:a:fatfreecrm:fat_free_crm::::::::

CNA Affected

[
  {
    "vendor": "fatfreecrm",
    "product": "fat_free_crm",
    "versions": [
      {
        "version": "< 0.20.1",
        "status": "affected"
      }
    ]
  }
]