Broken Access Control vulnerability in Active Job

2018-11-2621:00:00

RubySec

rubysec.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

52.2%

JSON

There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

CPENameOperatorVersion
activejoblt4.2.0
activejoble4.2.10
activejobge4.3.0
activejoble5.0.7.0
activejobge5.0.8.0
activejoble5.1.6.0
activejobge5.1.7.0
activejoble5.1.6
activejobge5.2.0
activejoblt5.2.1.1

Name	Operator	Version
activejob	lt	4.2.0
activejob	le	4.2.10
activejob	ge	4.3.0
activejob	le	5.0.7.0
activejob	ge	5.0.8.0
activejob	le	5.1.6.0
activejob	ge	5.1.7.0
activejob	le	5.1.6
activejob	ge	5.2.0
activejob	lt	5.2.1.1