activejob 5.1.3.rc3
Broken Access Control vulnerability in Active Job
high severity CVE-2018-16476~> 4.2.11
, ~> 5.0.7.1
, ~> 5.1.6.1
, ~> 5.1.7
, >= 5.2.1.1
< 4.2.0
There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.
Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
Impact
Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)
All users running an affected release should either upgrade or use one of the workarounds immediately.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.