CVE-2018-16476
- Source
- https://cve.org/CVERecord?id=CVE-2018-16476
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-16476.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-16476
- Aliases
- Downstream
- Related
- Published
- 2018-11-30T19:29:00.220Z
- Modified
- 2026-02-11T13:58:40.940402Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.
- References
-
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://access.redhat.com/errata/RHSA-2019:0600
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
Affected packages
Git / github.com/rails/rails
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rails/rails
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
v4.*
v4.2.0
v4.2.1
v4.2.1.rc1
v4.2.1.rc2
v4.2.1.rc3
v4.2.1.rc4
v4.2.10
v4.2.10.rc1
v4.2.2
v4.2.3
v4.2.3.rc1
v4.2.4
v4.2.4.rc1
v4.2.5
v4.2.5.1
v4.2.5.2
v4.2.5.rc1
v4.2.5.rc2
v4.2.6
v4.2.6.rc1
v4.2.7
v4.2.7.1
v4.2.7.rc1
v4.2.8
v4.2.8.rc1
v4.2.9
v4.2.9.rc1
v4.2.9.rc2
v5.*
v5.0.0
v5.0.0.1
v5.0.1
v5.0.1.rc1
v5.0.1.rc2
v5.0.2
v5.0.2.rc1
v5.0.3
v5.0.4
v5.0.4.rc1
v5.0.5
v5.0.5.rc1
v5.0.5.rc2
v5.0.6
v5.0.7
v5.1.0
v5.1.1
v5.1.2
v5.1.2.rc1
v5.1.3
v5.1.3.rc1
v5.1.3.rc2
v5.1.3.rc3
v5.1.4
v5.1.4.rc1
v5.1.5
v5.1.5.rc1
v5.1.6
v5.2.0
v5.2.1
v5.2.1.rc1