Sha256: 531c935076bf1630e83a6fc67339693166df60a52d3d3873b26c0dae568aa02a

Contents?: true

Size: 945 Bytes

Versions: 3

Compression:

Stored size: 945 Bytes

Contents

---
gem: activejob
cve: 2018-16476
url: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
title: Broken Access Control vulnerability in Active Job
date: 2018-11-27

description: |
  There is a vulnerability in Active Job. This vulnerability has been
  assigned the CVE identifier CVE-2018-16476.

  Versions Affected: >= 4.2.0
  Not affected: < 4.2.0
  Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

  Impact
  ------
  Carefully crafted user input can cause Active Job to deserialize it using GlobalId
  and allow an attacker to have access to information that they should not have.

  Vulnerable code will look something like this:

      MyJob.perform_later(user_input)

  All users running an affected release should either upgrade or use one of the
  workarounds immediately.

unaffected_versions:
  - "< 4.2.0"

patched_versions:
  - "~> 4.2.11"
  - "~> 5.0.7.1"
  - "~> 5.1.6.1"
  - "~> 5.1.7"
  - ">= 5.2.1.1"

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/activejob/CVE-2018-16476.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/activejob/CVE-2018-16476.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/activejob/CVE-2018-16476.yml