CVE-2013-7222 - OpenCVE

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Fatfreecrm	Fat Free Crm

Configuration 1 [-]

OR	cpe:2.3:a:fatfreecrm:fat_free_crm::::::::
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:::::::*
	cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:::::::*

References

Link	Resource
http://openwall.com/lists/oss-security/2013/12/28/2
http://seclists.org/fulldisclosure/2013/Dec/199
http://www.phenoelit.org/stuff/ffcrm.txt	Exploit
https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df	Exploit Patch
https://github.com/fatfreecrm/fat_free_crm/issues/300
https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-02T11:00:00

Updated: 2014-01-02T04:57:00

Reserved: 2013-12-28T00:00:00

Link: CVE-2013-7222

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-01-02T14:59:04.063

Modified: 2014-01-03T17:12:35.577

Link: CVE-2013-7222

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-12-24T00:00:00", "descriptions": [{"lang": "en", "value": "config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-02T04:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df"}, {"name": "20131224 Happy Holidays / Xmas Advisory", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2013/Dec/199"}, {"name": "[oss-security] 20131228 Re: CVE request: Fat Free CRM multiple vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2013/12/28/2"}, {"tags": ["x_refsource_MISC"], "url": "http://www.phenoelit.org/stuff/ffcrm.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7222", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df", "refsource": "CONFIRM", "url": "https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df"}, {"name": "20131224 Happy Holidays / Xmas Advisory", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2013/Dec/199"}, {"name": "[oss-security] 20131228 Re: CVE request: Fat Free CRM multiple vulnerabilities", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2013/12/28/2"}, {"name": "http://www.phenoelit.org/stuff/ffcrm.txt", "refsource": "MISC", "url": "http://www.phenoelit.org/stuff/ffcrm.txt"}, {"name": "https://github.com/fatfreecrm/fat_free_crm/issues/300", "refsource": "CONFIRM", "url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"}, {"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29", "refsource": "CONFIRM", "url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7222", "datePublished": "2014-01-02T11:00:00", "dateReserved": "2013-12-28T00:00:00", "dateUpdated": "2014-01-02T04:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "437226C5-1A19-4BFE-9177-603284DAEADA", "versionEndIncluding": "0.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "ADF154CE-04ED-446E-B2F4-483D7D356975", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:*:*:*:*:*:*:*", "matchCriteriaId": "34CFB3C8-9C3B-43D8-B946-0EB2FAFD3BF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:*:*:*:*:*:*:*", "matchCriteriaId": "8C2B22FC-6FA2-4365-BC71-ED79D914B781", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:*:*:*:*:*:*:*", "matchCriteriaId": "0108A4ED-2D1F-49C8-88C7-7A074767CFE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:*:*:*:*:*:*:*", "matchCriteriaId": "0A5888F1-1D68-4131-ADDC-BBEDB62E74ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "0F5CBECE-E4A4-48A7-8880-D9562378FE22", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "33170E54-4CF5-42B2-9F9A-269C26C9FB70", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "890482B9-D9AC-4D10-9764-4E23A112070F", "vulnerable": true}, {"criteria": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "3C652479-AE15-4BAC-AE75-9018FE71AABA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code."}, {"lang": "es", "value": "config/initializers/secret_token.rb en Fat Free CRM antes 0.12.1 tiene un valor fijo FatFreeCRM::Application.config.secret_token, lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos falsificar las cookies firmados por referencia a la clave en el c\u00f3digo fuente."}], "id": "CVE-2013-7222", "lastModified": "2014-01-03T17:12:35.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-02T14:59:04.063", "references": [{"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2013/12/28/2"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2013/Dec/199"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.phenoelit.org/stuff/ffcrm.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df"}, {"source": "cve@mitre.org", "url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}