Published: 30/11/2018 Updated: 09/10/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an malicious user to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails
redhat cloudforms 4.6

Synopsis Moderate: CloudForms 469 security, bug fix and enhancement update Type/Severity Security Advisory: Moderate Topic An update is now available for CloudForms Management Engine 59Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring ...

Debian Bug report logs - #914848 rails: CVE-2018-16477: Bypass vulnerability in Active Storage Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 27 Nov 2018 22:18:01 UTC ...

Debian Bug report logs - #914847 rails: CVE-2018-16476: Broken Access Control vulnerability in Active Job Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 27 Nov 2018 22 ...

Debian Bug report logs - #924520 rails: CVE-2019-5418 CVE-2019-5419 Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 13 Mar 2019 21:33:02 UTC Severity: grave Tags: secu ...

A Broken Access Control vulnerability in Active Job versions >= 420 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have ...

CWE-502 https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ https://access.redhat.com/errata/RHSA-2019:0600 https://access.redhat.com/errata/RHSA-2019:0600 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2018-16476

CVE-2018-16476

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect