A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
access.redhat.com/errata/RHSA-2019:0600
github.com/rails/rails
github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
nvd.nist.gov/vuln/detail/CVE-2018-16476
weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released