Description
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.
References (3)
Core 3
Core References
Exploit, Mailing List, Mitigation, Third Party Advisory x_refsource_misc
https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
Vendor Advisory x_refsource_misc
https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0600
Scores
CVSS v3
7.5
EPSS
0.0079
EPSS Percentile
74.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-284
CWE-502
Status
published
Products (3)
redhat/cloudforms
4.6
rubygems/activejob
4.2.0 - 4.2.11RubyGems
rubyonrails/rails
4.2.0 - 4.2.11
Published
Nov 30, 2018
Tracked Since
Feb 18, 2026