CVE-2018-16476
N/A
N/A
Summary
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | https://github.com/rails/rails | 4.2.0 up to and before 4.2.11 | affected |
| n/a | https://github.com/rails/rails | 4.2.0 up to and before 5.0.7.1 | affected |
| n/a | https://github.com/rails/rails | 4.2.0 up to and before 5.1.6.1 | affected |
| n/a | https://github.com/rails/rails | 4.2.0 up to and before 5.2.1.1 | affected |
Weaknesses
- CWE-284: Improper Access Control - Generic (CWE-284)
ADP Enrichment
CVE Program Container
Additional References
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
- https://access.redhat.com/errata/RHSA-2019:0600
References
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
- https://access.redhat.com/errata/RHSA-2019:0600
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.