Moderate severityNVD Advisory· Published Oct 8, 2022· Updated Apr 23, 2025

Remote Denial of Service via Tasks endpoint in fat_free_crm

CVE-2022-39281

Description

fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be available in release 0.20.1. Users are advised to upgrade or to manually apply patch c85a254. There are no known workarounds for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fat_free_crmRubyGems	< 0.20.1	0.20.1

Affected products

Fatfreecrm/Fat Free CRMv5
Range: < 0.20.1

Patches

c85a2546348c

Merge pull request from GHSA-p75c-5x3h-cxcg

https://github.com/fatfreecrm/fat_free_crmSteve KenworthyOct 7, 2022via ghsa

commit

2 files changed · +2 −1

app/models/polymorphic/task.rb+1 −0 modified

@@ -189,6 +189,7 @@ def self.find_all_grouped(user, view)
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
 
     if view == "assigned"
       assigned_by(user).send(bucket).pending.count

lib/fat_free_crm/version.rb+1 −1 modified

@@ -9,7 +9,7 @@ module FatFreeCRM
   module VERSION # :nodoc:
     MAJOR = 0
     MINOR = 20
-    TINY  = 0
+    TINY  = 1
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000