gsd-2018-16476
Vulnerability from gsd
Modified
2018-11-27 00:00
Details
There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
Impact
------
Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-16476",
"description": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.",
"id": "GSD-2018-16476",
"references": [
"https://www.suse.com/security/cve/CVE-2018-16476.html",
"https://access.redhat.com/errata/RHSA-2019:0600"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activejob",
"purl": "pkg:gem/activejob"
}
}
],
"aliases": [
"CVE-2018-16476",
"GHSA-q2qw-rmrh-vv42"
],
"details": "There is a vulnerability in Active Job. This vulnerability has been\nassigned the CVE identifier CVE-2018-16476.\n\nVersions Affected: \u003e= 4.2.0\nNot affected: \u003c 4.2.0\nFixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1\n\nImpact\n------\nCarefully crafted user input can cause Active Job to deserialize it using GlobalId\nand allow an attacker to have access to information that they should not have.\n\nVulnerable code will look something like this:\n\n MyJob.perform_later(user_input)\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n",
"id": "GSD-2018-16476",
"modified": "2018-11-27T00:00:00.000Z",
"published": "2018-11-27T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Broken Access Control vulnerability in Active Job"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16476",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/rails/rails",
"version": {
"version_data": [
{
"version_value": "4.2.0 up to and before 4.2.11"
},
{
"version_value": "4.2.0 up to and before 5.0.7.1"
},
{
"version_value": "4.2.0 up to and before 5.1.6.1"
},
{
"version_value": "4.2.0 up to and before 5.2.1.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control - Generic (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
"refsource": "MISC",
"url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
},
{
"name": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
"refsource": "MISC",
"url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
},
{
"name": "RHSA-2019:0600",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0600"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2018-16476",
"cvss_v3": 7.5,
"date": "2018-11-27",
"description": "There is a vulnerability in Active Job. This vulnerability has been\nassigned the CVE identifier CVE-2018-16476.\n\nVersions Affected: \u003e= 4.2.0\nNot affected: \u003c 4.2.0\nFixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1\n\nImpact\n------\nCarefully crafted user input can cause Active Job to deserialize it using GlobalId\nand allow an attacker to have access to information that they should not have.\n\nVulnerable code will look something like this:\n\n MyJob.perform_later(user_input)\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n",
"gem": "activejob",
"ghsa": "q2qw-rmrh-vv42",
"patched_versions": [
"~\u003e 4.2.11",
"~\u003e 5.0.7.1",
"~\u003e 5.1.6.1",
"~\u003e 5.1.7",
"\u003e= 5.2.1.1"
],
"title": "Broken Access Control vulnerability in Active Job",
"unaffected_versions": [
"\u003c 4.2.0"
],
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=5.1.0 \u003c5.1.6.1||\u003e=4.2.0 \u003c4.2.11||\u003e=5.0.0 \u003c5.0.7.1||\u003e=5.2.0 \u003c5.2.1.1",
"affected_versions": "All versions starting from 5.1.0 before 5.1.6.1, all versions starting from 4.2.0 before 4.2.11, all versions starting from 5.0.0 before 5.0.7.1, all versions starting from 5.2.0 before 5.2.1.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2019-10-09",
"description": "A Broken Access Control vulnerability in Active Job ",
"fixed_versions": [
"4.2.11",
"5.0.7.1",
"5.1.6.1",
"5.2.1.1"
],
"identifier": "CVE-2018-16476",
"identifiers": [
"CVE-2018-16476"
],
"not_impacted": "All versions before 5.1.0, all versions starting from 5.1.6.1, all versions before 4.2.0, all versions starting from 4.2.11 before 5.0.0, all versions starting from 5.0.7.1 before 5.2.0, all versions starting from 5.2.1.1",
"package_slug": "gem/activejob",
"pubdate": "2018-11-30",
"solution": "Upgrade to versions 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-16476",
"https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
"https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
"https://access.redhat.com/errata/RHSA-2019:0600"
],
"uuid": "92342f72-5614-453b-9cb1-c290530f0c14"
},
{
"affected_range": "\u003e=4.2.0 \u003c4.2.11||\u003e=5.0.0 \u003c5.0.7.1||\u003e=5.1.0 \u003c5.1.6.1||\u003e=5.2.0 \u003c5.2.1.1",
"affected_versions": "All versions starting from 4.2.0 before 4.2.11, all versions starting from 5.0.0 before 5.0.7.1, all versions starting from 5.1.0 before 5.1.6.1, all versions starting from 5.2.0 before 5.2.1.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2019-10-09",
"description": "A Broken Access Control vulnerability in Active Job allows attackers to craft user input which, when deserialized through Active Job, could give them access to information that they should not have.",
"fixed_versions": [
"4.2.11",
"5.0.7.1",
"5.1.6.1",
"5.2.1.1"
],
"identifier": "CVE-2018-16476",
"identifiers": [
"CVE-2018-16476"
],
"not_impacted": "All versions before 4.2.0, all versions starting from 4.2.11 before 5.0.0, all versions starting from 5.0.7.1 before 5.1.0, all versions starting from 5.1.6.1 before 5.2.0, all versions starting from 5.2.1.1",
"package_slug": "gem/rails",
"pubdate": "2018-11-30",
"solution": "Upgrade to versions 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-16476",
"https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
],
"uuid": "18b3b503-c508-4713-9bb9-057fcefe6dfe"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.6.1",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.11",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.7.1",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.1.1",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2018-16476"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A Broken Access Control vulnerability in Active Job versions \u003e= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/"
},
{
"name": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ",
"refsource": "MISC",
"tags": [
"Exploit",
"Mitigation",
"Mailing List",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ"
},
{
"name": "RHSA-2019:0600",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0600"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-09T23:36Z",
"publishedDate": "2018-11-30T19:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.