GHSA-q2qw-rmrh-vv42

Source

https://github.com/advisories/GHSA-q2qw-rmrh-vv42

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-q2qw-rmrh-vv42/GHSA-q2qw-rmrh-vv42.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q2qw-rmrh-vv42

Aliases

CVE-2018-16476

Published

2018-12-05T17:24:27Z

Modified

2024-02-17T05:33:12.879561Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Access Control in activejob

Details

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.

Database specific

{
    "nvd_published_at": "2018-11-30T19:29:00Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:29Z"
}

References

Affected packages

RubyGems / activejob

Package

Name: activejob
Purl: pkg:gem/activejob

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.11

Affected versions

4.*

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

4.2.5.1

4.2.5.2

4.2.6.rc1

4.2.6

4.2.7.rc1

4.2.7

4.2.7.1

4.2.8.rc1

4.2.8

4.2.9.rc1

4.2.9.rc2

4.2.9

4.2.10.rc1

4.2.10

RubyGems / activejob

Package

Name: activejob
Purl: pkg:gem/activejob

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.7.1

Affected versions

5.*

5.0.0

5.0.0.1

5.0.1.rc1

5.0.1.rc2

5.0.1

5.0.2.rc1

5.0.2

5.0.3

5.0.4.rc1

5.0.4

5.0.5.rc1

5.0.5.rc2

5.0.5

5.0.6.rc1

5.0.6

5.0.7

Database specific

{
    "last_known_affected_version_range": "<= 5.0.7.0"
}

RubyGems / activejob

Package

Name: activejob
Purl: pkg:gem/activejob

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

5.1.6.1

Affected versions

5.*

5.1.0

5.1.1

5.1.2.rc1

5.1.2

5.1.3.rc1

5.1.3.rc2

5.1.3.rc3

5.1.3

5.1.4.rc1

5.1.4

5.1.5.rc1

5.1.5

5.1.6

Database specific

{
    "last_known_affected_version_range": "<= 5.1.6.0"
}

RubyGems / activejob

Package

Name: activejob
Purl: pkg:gem/activejob

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.1.1

Affected versions

5.*

5.2.0

5.2.1.rc1

5.2.1

Database specific

{
    "last_known_affected_version_range": "<= 5.2.1.0"
}