CVE-2018-16476 — Improper Access Control in activejob

Description

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

How to fix CVE-2018-16476

To remediate CVE-2018-16476, upgrade the affected package to a fixed version below.

—upgrade to 2:5.2.2+dfsg-1 or later
—upgrade to 4.2.11 or later

Is CVE-2018-16476 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:5.2.2+dfsg-1
>= 4.2.0, < 4.2.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-16476
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-16476
PATCHgithub.com/rails/rails
WEBaccess.redhat.com/errata/RHSA-2019:0600
WEB