GHSA-q2qw-rmrh-vv42

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-q2qw-rmrh-vv42/GHSA-q2qw-rmrh-vv42.json
Aliases
  • CVE-2018-16476
Published
2018-12-05T17:24:27Z
Modified
2022-08-15T08:48:32.029878Z
Details

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.

References

Affected packages

RubyGems / activejob

activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.11

Affected versions

4.*

4.2.0
4.2.1
4.2.1.rc1
4.2.1.rc2
4.2.1.rc3
4.2.1.rc4
4.2.10
4.2.10.rc1
4.2.2
4.2.3
4.2.3.rc1
4.2.4
4.2.4.rc1
4.2.5
4.2.5.1
4.2.5.2
4.2.5.rc1
4.2.5.rc2
4.2.6
4.2.6.rc1
4.2.7
4.2.7.1
4.2.7.rc1
4.2.8
4.2.8.rc1
4.2.9
4.2.9.rc1
4.2.9.rc2

RubyGems / activejob

activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.7.1

Affected versions

5.*

5.0.0
5.0.0.1
5.0.1
5.0.1.rc1
5.0.1.rc2
5.0.2
5.0.2.rc1
5.0.3
5.0.4
5.0.4.rc1
5.0.5
5.0.5.rc1
5.0.5.rc2
5.0.6
5.0.6.rc1
5.0.7

Database specific

{
    "last_known_affected_version_range": "<= 5.0.7.0"
}

RubyGems / activejob

activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
5.1.6.1

Affected versions

5.*

5.1.0
5.1.1
5.1.2
5.1.2.rc1
5.1.3
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.4
5.1.4.rc1
5.1.5
5.1.5.rc1
5.1.6

Database specific

{
    "last_known_affected_version_range": "<= 5.1.6.0"
}

RubyGems / activejob

activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.2.1.1

Affected versions

5.*

5.2.0
5.2.1
5.2.1.rc1

Database specific

{
    "last_known_affected_version_range": "<= 5.2.1.0"
}