GHSA-q2qw-rmrh-vv42
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q2qw-rmrh-vv42
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-q2qw-rmrh-vv42/GHSA-q2qw-rmrh-vv42.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q2qw-rmrh-vv42
- Aliases
- Published
- 2018-12-05T17:24:27Z
- Modified
- 2024-02-17T05:33:12.879561Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Improper Access Control in activejob
- Details
-
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
- Database specific
{ "nvd_published_at": "2018-11-30T19:29:00Z", "cwe_ids": [ "CWE-284", "CWE-502" ], "github_reviewed_at": "2020-06-16T21:50:29Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-16476
- https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
- https://access.redhat.com/errata/RHSA-2019:0600
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
- https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
Affected packages
RubyGems / activejob
Package
- Name
- activejob
- Purl
- pkg:gem/activejob
RubyGems / activejob
Package
- Name
- activejob
- Purl
- pkg:gem/activejob
RubyGems / activejob
Package
- Name
- activejob
- Purl
- pkg:gem/activejob
RubyGems / activejob
Package
- Name
- activejob
- Purl
- pkg:gem/activejob