GHSA-q2qw-rmrh-vv42

Suggest an improvement
Source
https://github.com/advisories/GHSA-q2qw-rmrh-vv42
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-q2qw-rmrh-vv42/GHSA-q2qw-rmrh-vv42.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q2qw-rmrh-vv42
Aliases
Published
2018-12-05T17:24:27Z
Modified
2024-02-17T05:37:47.402129Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Improper Access Control in activejob
Details

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.

Database specific
{
    "nvd_published_at": "2018-11-30T19:29:00Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:29Z"
}
References

Affected packages

RubyGems / activejob

Package

Name
activejob
Purl
pkg:gem/activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.11

Affected versions

4.*

4.2.0
4.2.1.rc1
4.2.1.rc2
4.2.1.rc3
4.2.1.rc4
4.2.1
4.2.2
4.2.3.rc1
4.2.3
4.2.4.rc1
4.2.4
4.2.5.rc1
4.2.5.rc2
4.2.5
4.2.5.1
4.2.5.2
4.2.6.rc1
4.2.6
4.2.7.rc1
4.2.7
4.2.7.1
4.2.8.rc1
4.2.8
4.2.9.rc1
4.2.9.rc2
4.2.9
4.2.10.rc1
4.2.10

RubyGems / activejob

Package

Name
activejob
Purl
pkg:gem/activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.7.1

Affected versions

5.*

5.0.0
5.0.0.1
5.0.1.rc1
5.0.1.rc2
5.0.1
5.0.2.rc1
5.0.2
5.0.3
5.0.4.rc1
5.0.4
5.0.5.rc1
5.0.5.rc2
5.0.5
5.0.6.rc1
5.0.6
5.0.7

Database specific

{
    "last_known_affected_version_range": "<= 5.0.7.0"
}

RubyGems / activejob

Package

Name
activejob
Purl
pkg:gem/activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
5.1.6.1

Affected versions

5.*

5.1.0
5.1.1
5.1.2.rc1
5.1.2
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.3
5.1.4.rc1
5.1.4
5.1.5.rc1
5.1.5
5.1.6

Database specific

{
    "last_known_affected_version_range": "<= 5.1.6.0"
}

RubyGems / activejob

Package

Name
activejob
Purl
pkg:gem/activejob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.2.1.1

Affected versions

5.*

5.2.0
5.2.1.rc1
5.2.1

Database specific

{
    "last_known_affected_version_range": "<= 5.2.1.0"
}