CVE-2022-39281

Remote Denial of Service via Tasks endpoint in fat_free_crm

Description

fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit `c85a254` and will be available in release `0.20.1`. Users are advised to upgrade or to manually apply patch `c85a254`. There are no known workarounds for this issue.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 2.00% Top 20%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: fatfreecrm fat_free_crm
Published at:
Updated at:

References

Link Tags
https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-p75c-5x3h-cxcg third party advisory
https://github.com/fatfreecrm/fat_free_crm/commit/c85a2546348c2692d32f952c753f7f0b43d1ca71 third party advisory patch
https://github.com/fatfreecrm/fat_free_crm/releases/tag/v0.20.1 third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2022-39281?
CVE-2022-39281 has been scored as a medium severity vulnerability.
How to fix CVE-2022-39281?
To fix CVE-2022-39281, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-39281 being actively exploited in the wild?
It is possible that CVE-2022-39281 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-39281?
CVE-2022-39281 affects fatfreecrm fat_free_crm.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.