CVE-2018-16476

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-16476

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16476.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-16476

Aliases

GHSA-q2qw-rmrh-vv42

Downstream

RHSA-2019:0600

SUSE-SU-2018:3996-1

SUSE-SU-2019:0152-1

UBUNTU-CVE-2018-16476

openSUSE-SU-2024:11322-1

openSUSE-SU-2024:11347-1

Related

Published

2018-11-30T19:29:00Z

Modified

2025-09-24T09:00:27.228165Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type: GIT
Repo: https://github.com/rails/rails
Events: Introduced

7847a19f476fb9bee287681586d872ea43785e53

Fixed

474b7392c69852e8932260ea370cd63cf1e4fcaa

Affected versions

v4.*

v4.2.0

v4.2.1

v4.2.1.rc1

v4.2.1.rc2

v4.2.1.rc3

v4.2.1.rc4

v4.2.10

v4.2.10.rc1

v4.2.2

v4.2.3

v4.2.3.rc1

v4.2.4

v4.2.4.rc1

v4.2.5

v4.2.5.1

v4.2.5.2

v4.2.5.rc1

v4.2.5.rc2

v4.2.6

v4.2.6.rc1

v4.2.7

v4.2.7.1

v4.2.7.rc1

v4.2.8

v4.2.8.rc1

v4.2.9

v4.2.9.rc1

v4.2.9.rc2