CVE-2018-16476
rails Severe
Information Disclosure
Discovered 12 months ago
Published about 5 years ago
Category: Information Disclosure
Severity: Severe

There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the workarounds immediately.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 4.2.11 ~> 5.0.7.1 ~> 5.1.6.1 ~> 5.1.7 >= 5.2.1.1

Unaffected Versions

< 4.2.0

References

n/a