Access Restriction Bypass

Affecting activejob gem, versions >=4.2.0, <4.2.11 || >=5.0.0, <5.0.7.1 || >=5.1.1, <5.1.6.1 || >=5.2.0, <5.2.1.1

Overview

activejobdeclares job classes that can be run by a variety of queueing backends.

Affected versions of this package are vulnerable to Access Restriction Bypass. Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.

Remediation

Upgrade activejob to version 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Unknown
CVE
CVE-2018-16476
CWE
CWE-284
Snyk ID
SNYK-RUBY-ACTIVEJOB-72640
Disclosed
28 Nov, 2018
Published
28 Nov, 2018