Fat Free CRM is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit `c85a254` and will be available in release `0.20.1`. Users are advised to upgrade or to manually apply patch `c85a254`. There are no known workarounds for this issue. Fat Free CRM was found to be vulnerable to a remote Denial of Service attack as a user with administrative privileges could edit any record in the application. An authenticated user with access to the backend of Fat Free CRM could perform a remote Denial of Service attack via a crafted request. An authenticated user could create a malicious request that would cause a denial of service (DoS) condition against Fat Free CRM. Fat Free CRM allows a user to create a record in the system via a bucket. An attacker can use this to craft a request that will cause a DoS condition via a bucket access. Fat Free CRM allows a user to create a record in the system via a bucket. An attacker can use this to craft a request that will cause a DoS condition via a bucket access. Fat Free CRM allows a user to create a record in the system via a bucket. An attacker can use this to craft a request that will cause a DoS condition via
References !DOCTYPE HTML
PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Technical Operations
Fat Free CRM allows a user to create a record in the system via a bucket. An attacker can use this to craft a request that will cause a DoS condition via a bucket access. Fat Free CRM allows a user to create a record in the system via a bucket. An attacker can use this to craft a request that will cause a DoS condition via a bucket access.
Authentication in Fat Free CRM
Fat Free CRM is implemented as an authentication/authorization system. When a request is made to access a bucket, the controller checks the user's authentication tokens and provides access to the requesting user. If a user requests a bucket (via HTTP) with an unauthorized token, the controller will send back a 401 response, which causes an exception in the application and prevents the execution of the offending request.
Overview of the Vulnerability
An authenticated user with access to the backend of Fat Free CRM can perform a remote Denial of Service attack via a crafted request. An authenticated user could create a malicious request that would cause a denial of service (DoS) condition against Fat Free CRM.
Timeline
Published on: 10/08/2022 01:15:00 UTC
Last modified on: 10/11/2022 15:30:00 UTC