github - ghsa-q2qw-rmrh-vv42

ghsa-q2qw-rmrh-vv42

Vulnerability from github

Published

2018-12-05 17:24

Modified

2023-06-30 19:52

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Improper Access Control in activejob

Details

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activejob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.7.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "activejob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.1.6.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "activejob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.1.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "activejob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-16476"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:29Z",
    "nvd_published_at": "2018-11-30T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.",
  "id": "GHSA-q2qw-rmrh-vv42",
  "modified": "2023-06-30T19:52:40Z",
  "published": "2018-12-05T17:24:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16476"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0600"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw"
    },
    {
      "type": "WEB",
      "url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Access Control in activejob"
}

cve-2018-16476

Vulnerability from cvelistv5

Published

2018-11-30 19:00

Modified

2024-08-05 10:24

Severity ?

Summary

References

▼	URL	Tags
	https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ	x_refsource_MISC
	https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:0600	vendor-advisory, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

▼

n/a

https://github.com/rails/rails

Version: 4.2.0 up to and before 4.2.11
Version: 4.2.0 up to and before 5.0.7.1
Version: 4.2.0 up to and before 5.1.6.1
Version: 4.2.0 up to and before 5.2.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:24:32.802Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
          },
          {
            "name": "RHSA-2019:0600",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0600"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/rails/rails",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "4.2.0 up to and before 4.2.11"
            },
            {
              "status": "affected",
              "version": "4.2.0 up to and before 5.0.7.1"
            },
            {
              "status": "affected",
              "version": "4.2.0 up to and before 5.1.6.1"
            },
            {
              "status": "affected",
              "version": "4.2.0 up to and before 5.2.1.1"
            }
          ]
        }
      ],
      "datePublic": "2018-11-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control - Generic (CWE-284)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-10T16:41:54",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
        },
        {
          "name": "RHSA-2019:0600",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0600"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2018-16476",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/rails/rails",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.2.0 up to and before 4.2.11"
                          },
                          {
                            "version_value": "4.2.0 up to and before 5.0.7.1"
                          },
                          {
                            "version_value": "4.2.0 up to and before 5.1.6.1"
                          },
                          {
                            "version_value": "4.2.0 up to and before 5.2.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control - Generic (CWE-284)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
              "refsource": "MISC",
              "url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
            },
            {
              "name": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
              "refsource": "MISC",
              "url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
            },
            {
              "name": "RHSA-2019:0600",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0600"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2018-16476",
    "datePublished": "2018-11-30T19:00:00",
    "dateReserved": "2018-09-04T00:00:00",
    "dateUpdated": "2024-08-05T10:24:32.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

gsd-2018-16476

Vulnerability from gsd

Modified

2018-11-27 00:00

Details

There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476. Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 Impact ------ Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have. Vulnerable code will look something like this: MyJob.perform_later(user_input) All users running an affected release should either upgrade or use one of the workarounds immediately.

Aliases

CVE-2018-16476

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-16476",
    "description": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.",
    "id": "GSD-2018-16476",
    "references": [
      "https://www.suse.com/security/cve/CVE-2018-16476.html",
      "https://access.redhat.com/errata/RHSA-2019:0600"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "activejob",
            "purl": "pkg:gem/activejob"
          }
        }
      ],
      "aliases": [
        "CVE-2018-16476",
        "GHSA-q2qw-rmrh-vv42"
      ],
      "details": "There is a vulnerability in Active Job. This vulnerability has been\nassigned the CVE identifier CVE-2018-16476.\n\nVersions Affected: \u003e= 4.2.0\nNot affected: \u003c 4.2.0\nFixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1\n\nImpact\n------\nCarefully crafted user input can cause Active Job to deserialize it using GlobalId\nand allow an attacker to have access to information that they should not have.\n\nVulnerable code will look something like this:\n\n    MyJob.perform_later(user_input)\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n",
      "id": "GSD-2018-16476",
      "modified": "2018-11-27T00:00:00.000Z",
      "published": "2018-11-27T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Broken Access Control vulnerability in Active Job"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2018-16476",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "4.2.0 up to and before 4.2.11"
                        },
                        {
                          "version_value": "4.2.0 up to and before 5.0.7.1"
                        },
                        {
                          "version_value": "4.2.0 up to and before 5.1.6.1"
                        },
                        {
                          "version_value": "4.2.0 up to and before 5.2.1.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Improper Access Control - Generic (CWE-284)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
            "refsource": "MISC",
            "url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
          },
          {
            "name": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
            "refsource": "MISC",
            "url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
          },
          {
            "name": "RHSA-2019:0600",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:0600"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2018-16476",
      "cvss_v3": 7.5,
      "date": "2018-11-27",
      "description": "There is a vulnerability in Active Job. This vulnerability has been\nassigned the CVE identifier CVE-2018-16476.\n\nVersions Affected: \u003e= 4.2.0\nNot affected: \u003c 4.2.0\nFixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1\n\nImpact\n------\nCarefully crafted user input can cause Active Job to deserialize it using GlobalId\nand allow an attacker to have access to information that they should not have.\n\nVulnerable code will look something like this:\n\n    MyJob.perform_later(user_input)\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n",
      "gem": "activejob",
      "ghsa": "q2qw-rmrh-vv42",
      "patched_versions": [
        "~\u003e 4.2.11",
        "~\u003e 5.0.7.1",
        "~\u003e 5.1.6.1",
        "~\u003e 5.1.7",
        "\u003e= 5.2.1.1"
      ],
      "title": "Broken Access Control vulnerability in Active Job",
      "unaffected_versions": [
        "\u003c 4.2.0"
      ],
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.1.0 \u003c5.1.6.1||\u003e=4.2.0 \u003c4.2.11||\u003e=5.0.0 \u003c5.0.7.1||\u003e=5.2.0 \u003c5.2.1.1",
          "affected_versions": "All versions starting from 5.1.0 before 5.1.6.1, all versions starting from 4.2.0 before 4.2.11, all versions starting from 5.0.0 before 5.0.7.1, all versions starting from 5.2.0 before 5.2.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "A Broken Access Control vulnerability in Active Job ",
          "fixed_versions": [
            "4.2.11",
            "5.0.7.1",
            "5.1.6.1",
            "5.2.1.1"
          ],
          "identifier": "CVE-2018-16476",
          "identifiers": [
            "CVE-2018-16476"
          ],
          "not_impacted": "All versions before 5.1.0, all versions starting from 5.1.6.1, all versions before 4.2.0, all versions starting from 4.2.11 before 5.0.0, all versions starting from 5.0.7.1 before 5.2.0, all versions starting from 5.2.1.1",
          "package_slug": "gem/activejob",
          "pubdate": "2018-11-30",
          "solution": "Upgrade to versions 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-16476",
            "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
            "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
            "https://access.redhat.com/errata/RHSA-2019:0600"
          ],
          "uuid": "92342f72-5614-453b-9cb1-c290530f0c14"
        },
        {
          "affected_range": "\u003e=4.2.0 \u003c4.2.11||\u003e=5.0.0 \u003c5.0.7.1||\u003e=5.1.0 \u003c5.1.6.1||\u003e=5.2.0 \u003c5.2.1.1",
          "affected_versions": "All versions starting from 4.2.0 before 4.2.11, all versions starting from 5.0.0 before 5.0.7.1, all versions starting from 5.1.0 before 5.1.6.1, all versions starting from 5.2.0 before 5.2.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "A Broken Access Control vulnerability in Active Job allows attackers to craft user input which, when deserialized through Active Job, could give them access to information that they should not have.",
          "fixed_versions": [
            "4.2.11",
            "5.0.7.1",
            "5.1.6.1",
            "5.2.1.1"
          ],
          "identifier": "CVE-2018-16476",
          "identifiers": [
            "CVE-2018-16476"
          ],
          "not_impacted": "All versions before 4.2.0, all versions starting from 4.2.11 before 5.0.0, all versions starting from 5.0.7.1 before 5.1.0, all versions starting from 5.1.6.1 before 5.2.0, all versions starting from 5.2.1.1",
          "package_slug": "gem/rails",
          "pubdate": "2018-11-30",
          "solution": "Upgrade to versions 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-16476",
            "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
          ],
          "uuid": "18b3b503-c508-4713-9bb9-057fcefe6dfe"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.1.6.1",
                "versionStartIncluding": "5.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.2.11",
                "versionStartIncluding": "4.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.7.1",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.1.1",
                "versionStartIncluding": "5.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2018-16476"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
            },
            {
              "name": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
            },
            {
              "name": "RHSA-2019:0600",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0600"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:36Z",
      "publishedDate": "2018-11-30T19:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ghsa-q2qw-rmrh-vv42

Vulnerability from github

cve-2018-16476

Vulnerability from cvelistv5

gsd-2018-16476

Vulnerability from gsd

Tags

Sightings

Nomenclature