CVE-2018-16476

HIGH

Rails < 4.2.11 - Improper Access Control

Title source: rule

Description

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

References (3)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0600

[Exploit, Mailing List, Mitigation, Third Party Advisory] https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ

[Vendor Advisory] https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/

Scores

CVSS v3 7.5

EPSS 0.0079

EPSS Percentile 73.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-284 CWE-502

Status published

Affected Products (3)

rubyonrails/rails < 4.2.11

redhat/cloudforms

rubygems/activejob < 4.2.11RubyGems

Timeline

Published Nov 30, 2018

Tracked Since Feb 18, 2026