Ruby/activejob/5.0.1
Declare job classes that can be run by a variety of queuing backends.
https://rubygems.org/gems/activejob
MIT
2 Security Vulnerabilities
Improper Access Control in activejob
Published date: 2018-12-05T17:24:27Z
CVE: CVE-2018-16476
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16476
- https://github.com/advisories/GHSA-q2qw-rmrh-vv42
- https://access.redhat.com/errata/RHSA-2019:0600
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
- https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
- https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
Affected versions:
["5.2.1", "5.2.1.rc1", "5.2.0", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0"]
Secure versions:
[6.1.0.rc1, 6.0.3.4, 6.0.3.3, 6.0.3.2, 6.0.3.1, 6.0.3, 6.0.3.rc1, 6.0.2.2, 6.0.2.1, 6.0.2, 6.0.2.rc2, 6.0.2.rc1, 6.0.1, 6.0.1.rc1, 6.0.0, 6.0.0.rc2, 6.0.0.rc1, 6.0.0.beta3, 6.0.0.beta2, 6.0.0.beta1, 5.2.4.4, 5.2.4.3, 5.2.4.2, 5.2.4.1, 5.2.4, 5.2.4.rc1, 5.2.3, 5.2.3.rc1, 5.2.2.1, 5.2.2, 5.2.2.rc1, 5.2.1.1, 5.1.7, 5.1.7.rc1, 5.1.6.2, 5.1.6.1, 5.1.0.rc2, 5.1.0.rc1, 5.1.0.beta1, 5.0.7.2, 5.0.7.1, 4.2.11.3, 4.2.11.2, 4.2.11.1, 4.2.11, 4.2.0.rc3, 4.2.0.rc2, 4.2.0.rc1, 4.2.0.beta4, 4.2.0.beta3, 4.2.0.beta2, 4.2.0.beta1, 0, 6.1.0.rc2, 6.1.0, 6.1.1, 6.1.2, 6.1.2.1, 6.0.3.5, 5.2.4.5, 6.1.3, 6.1.3.1, 6.0.3.6, 5.2.5, 6.1.3.2, 6.0.3.7, 5.2.6, 5.2.4.6, 6.0.4, 6.1.4, 6.1.4.1, 6.0.4.1, 7.0.0.alpha2, 7.0.0.alpha1, 7.0.0.rc1, 7.0.0.rc3, 7.0.0.rc2, 6.1.4.3, 6.1.4.2, 6.0.4.3, 6.0.4.2, 6.1.4.4, 6.0.4.4, 7.0.0, 7.0.1, 7.0.2, 7.0.2.2, 7.0.2.1, 6.1.4.6, 6.1.4.5, 6.0.4.6, 6.0.4.5, 5.2.6.2, 5.2.6.1, 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3, 6.1.5, 5.2.7, 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1, 7.0.3, 6.1.6, 6.0.5, 5.2.8, 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1, 7.0.4, 6.1.7, 6.0.6, 7.0.4.1, 6.1.7.1, 6.0.6.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3, 7.0.5, 7.0.5.1, 6.1.7.4, 7.0.6, 7.0.7, 7.0.7.2, 7.0.7.1, 6.1.7.6, 6.1.7.5, 7.0.8, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.3.2, 7.1.3.1, 7.0.8.1, 6.1.7.7]
Recommendation:
Update to version 7.1.3.2.
Broken Access Control vulnerability in Active Job
Published date: 2018-11-27
Framework: rails
CVE: 2018-16476
CVSS V3: 7.5
There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.
Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
Impact
Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)
All users running an affected release should either upgrade or use one of the workarounds immediately.
Affected versions:
["5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1"]
Secure versions:
[6.1.0.rc1, 6.0.3.4, 6.0.3.3, 6.0.3.2, 6.0.3.1, 6.0.3, 6.0.3.rc1, 6.0.2.2, 6.0.2.1, 6.0.2, 6.0.2.rc2, 6.0.2.rc1, 6.0.1, 6.0.1.rc1, 6.0.0, 6.0.0.rc2, 6.0.0.rc1, 6.0.0.beta3, 6.0.0.beta2, 6.0.0.beta1, 5.2.4.4, 5.2.4.3, 5.2.4.2, 5.2.4.1, 5.2.4, 5.2.4.rc1, 5.2.3, 5.2.3.rc1, 5.2.2.1, 5.2.2, 5.2.2.rc1, 5.2.1.1, 5.1.7, 5.1.7.rc1, 5.1.6.2, 5.1.6.1, 5.1.0.rc2, 5.1.0.rc1, 5.1.0.beta1, 5.0.7.2, 5.0.7.1, 4.2.11.3, 4.2.11.2, 4.2.11.1, 4.2.11, 4.2.0.rc3, 4.2.0.rc2, 4.2.0.rc1, 4.2.0.beta4, 4.2.0.beta3, 4.2.0.beta2, 4.2.0.beta1, 0, 6.1.0.rc2, 6.1.0, 6.1.1, 6.1.2, 6.1.2.1, 6.0.3.5, 5.2.4.5, 6.1.3, 6.1.3.1, 6.0.3.6, 5.2.5, 6.1.3.2, 6.0.3.7, 5.2.6, 5.2.4.6, 6.0.4, 6.1.4, 6.1.4.1, 6.0.4.1, 7.0.0.alpha2, 7.0.0.alpha1, 7.0.0.rc1, 7.0.0.rc3, 7.0.0.rc2, 6.1.4.3, 6.1.4.2, 6.0.4.3, 6.0.4.2, 6.1.4.4, 6.0.4.4, 7.0.0, 7.0.1, 7.0.2, 7.0.2.2, 7.0.2.1, 6.1.4.6, 6.1.4.5, 6.0.4.6, 6.0.4.5, 5.2.6.2, 5.2.6.1, 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3, 6.1.5, 5.2.7, 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1, 7.0.3, 6.1.6, 6.0.5, 5.2.8, 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1, 7.0.4, 6.1.7, 6.0.6, 7.0.4.1, 6.1.7.1, 6.0.6.1, 7.0.4.2, 6.1.7.2, 7.0.4.3, 6.1.7.3, 7.0.5, 7.0.5.1, 6.1.7.4, 7.0.6, 7.0.7, 7.0.7.2, 7.0.7.1, 6.1.7.6, 6.1.7.5, 7.0.8, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.3.2, 7.1.3.1, 7.0.8.1, 6.1.7.7]
Recommendation:
Update to version 7.1.3.2.
215 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 5.0.0.beta1 | MIT | 1 | 2015-12-18 - 21:17 | over 8 years |
| 5.2.0.beta1 | MIT | 1 | 2017-11-27 - 18:04 | over 6 years |
| 5.2.0.beta2 | MIT | 1 | 2017-11-28 - 05:03 | over 6 years |
| 5.0.0.beta1.1 | MIT | 1 | 2016-01-25 - 19:24 | over 8 years |
| 5.0.0.beta2 | MIT | 1 | 2016-02-01 - 22:05 | about 8 years |
| 5.2.0.rc1 | MIT | 1 | 2018-01-30 - 23:37 | about 6 years |
| 5.0.0.beta3 | MIT | 1 | 2016-02-24 - 16:15 | about 8 years |
| 5.0.0.rc2 | MIT | 1 | 2016-06-22 - 20:02 | almost 8 years |
| 5.2.0.rc2 | MIT | 1 | 2018-03-20 - 17:53 | about 6 years |
| 5.0.0.beta4 | MIT | 1 | 2016-04-27 - 20:54 | about 8 years |
| 5.0.0.rc1 | MIT | 1 | 2016-05-06 - 21:57 | almost 8 years |
| 5.0.0.racecar1 | MIT | 1 | 2016-05-06 - 22:01 | almost 8 years |
| 5.0.1.rc1 | MIT | 2 | 2016-11-30 - 20:02 | over 7 years |
| 5.0.6 | MIT | 2 | 2017-09-08 - 00:46 | over 6 years |
| 5.0.2 | MIT | 2 | 2017-03-01 - 23:13 | about 7 years |
| 5.0.4.rc1 | MIT | 2 | 2017-06-14 - 20:48 | almost 7 years |
| 5.0.1.rc2 | MIT | 2 | 2016-12-09 - 19:12 | over 7 years |
| 5.0.2.rc1 | MIT | 2 | 2017-02-25 - 00:55 | about 7 years |
| 5.0.3 | MIT | 2 | 2017-05-12 - 20:04 | almost 7 years |
| 5.0.7 | MIT | 2 | 2018-03-29 - 17:59 | about 6 years |
| 5.0.0.1 | MIT | 2 | 2016-08-11 - 17:32 | over 7 years |
| 5.0.5.rc2 | MIT | 2 | 2017-07-25 - 20:25 | almost 7 years |
| 5.0.0 | MIT | 2 | 2016-06-30 - 21:22 | almost 8 years |
| 5.2.1.rc1 | MIT | 2 | 2018-07-30 - 20:21 | over 5 years |
| 5.0.5.rc1 | MIT | 2 | 2017-07-19 - 19:43 | almost 7 years |
| 5.0.1 | MIT | 2 | 2016-12-21 - 00:07 | over 7 years |
| 5.0.4 | MIT | 2 | 2017-06-19 - 21:58 | almost 7 years |
| 5.0.5 | MIT | 2 | 2017-07-31 - 19:04 | over 6 years |
| 5.0.6.rc1 | MIT | 2 | 2017-08-24 - 19:10 | over 6 years |
| 5.2.1 | MIT | 2 | 2018-08-07 - 21:43 | over 5 years |
| 5.2.0 | MIT | 2 | 2018-04-09 - 20:06 | about 6 years |
| 4.2.9.rc2 | MIT | 1 | 2017-06-19 - 22:27 | almost 7 years |
| 4.2.8.rc1 | MIT | 1 | 2017-02-10 - 02:45 | about 7 years |
| 4.2.9.rc1 | MIT | 1 | 2017-06-13 - 18:50 | almost 7 years |
| 4.2.7.rc1 | MIT | 1 | 2016-07-01 - 00:32 | almost 8 years |
| 4.2.10.rc1 | MIT | 1 | 2017-09-20 - 19:42 | over 6 years |
| 4.2.10 | MIT | 1 | 2017-09-27 - 14:28 | over 6 years |
| 4.2.9 | MIT | 1 | 2017-06-26 - 21:30 | almost 7 years |
| 4.2.4 | MIT | 1 | 2015-08-24 - 18:26 | over 8 years |
| 4.2.4.rc1 | MIT | 1 | 2015-08-14 - 15:20 | over 8 years |
| 4.2.6 | MIT | 1 | 2016-03-07 - 22:32 | about 8 years |
| 4.2.7.1 | MIT | 1 | 2016-08-11 - 17:32 | over 7 years |
| 4.2.7 | MIT | 1 | 2016-07-13 - 02:55 | almost 8 years |
| 4.2.8 | MIT | 1 | 2017-02-21 - 16:08 | about 7 years |
| 4.2.5.rc2 | MIT | 1 | 2015-11-05 - 03:01 | over 8 years |
| 4.2.5.rc1 | MIT | 1 | 2015-10-30 - 20:47 | over 8 years |
| 4.2.2 | MIT | 1 | 2015-06-16 - 18:02 | almost 9 years |
| 4.2.5 | MIT | 1 | 2015-11-12 - 17:06 | over 8 years |
| 4.2.5.2 | MIT | 1 | 2016-02-29 - 19:16 | about 8 years |
| 4.2.1 | MIT | 1 | 2015-03-19 - 16:41 | about 9 years |
| 4.2.1.rc1 | MIT | 1 | 2015-02-20 - 22:20 | about 9 years |
| 4.2.1.rc4 | MIT | 1 | 2015-03-12 - 21:25 | about 9 years |
| 4.2.0 | MIT | 1 | 2014-12-20 - 00:15 | over 9 years |
| 5.1.2.rc1 | MIT | 1 | 2017-06-20 - 17:03 | almost 7 years |
| 5.1.3.rc1 | MIT | 1 | 2017-07-19 - 19:37 | almost 7 years |
| 5.1.3.rc2 | MIT | 1 | 2017-07-25 - 20:17 | almost 7 years |
| 5.1.2 | MIT | 1 | 2017-06-26 - 21:50 | almost 7 years |
| 5.1.1 | MIT | 1 | 2017-05-12 - 20:11 | almost 7 years |
| 5.1.4.rc1 | MIT | 1 | 2017-08-24 - 19:36 | over 6 years |
| 5.1.4 | MIT | 1 | 2017-09-08 - 00:51 | over 6 years |
| 5.1.3 | MIT | 1 | 2017-08-03 - 19:14 | over 6 years |
| 5.1.5 | MIT | 1 | 2018-02-14 - 20:00 | about 6 years |
| 5.1.5.rc1 | MIT | 1 | 2018-02-01 - 18:59 | about 6 years |
| 5.1.6 | MIT | 1 | 2018-03-29 - 18:28 | about 6 years |
| 5.1.3.rc3 | MIT | 1 | 2017-07-31 - 19:12 | over 6 years |
| 5.1.0 | MIT | 1 | 2017-04-27 - 21:00 | about 7 years |
| 4.2.3 | MIT | 1 | 2015-06-25 - 21:29 | almost 9 years |
| 4.2.1.rc3 | MIT | 1 | 2015-03-02 - 21:35 | about 9 years |
| 4.2.1.rc2 | MIT | 1 | 2015-02-25 - 22:19 | about 9 years |
| 4.2.3.rc1 | MIT | 1 | 2015-06-22 - 14:22 | almost 9 years |
| 4.2.5.1 | MIT | 1 | 2016-01-25 - 19:24 | over 8 years |
| 4.2.6.rc1 | MIT | 1 | 2016-03-01 - 18:37 | about 8 years |
| 5.0.7.2 | MIT | 2019-03-13 - 16:40 | about 5 years | |
| 5.1.0.rc1 | MIT | 2017-03-20 - 18:57 | about 7 years | |
| 5.1.0.rc2 | MIT | 2017-04-21 - 01:30 | about 7 years | |
| 5.1.0.beta1 | MIT | 2017-02-23 - 19:58 | about 7 years | |
| 5.0.7.1 | MIT | 2018-11-27 - 20:09 | over 5 years | |
| 5.1.6.1 | MIT | 2018-11-27 - 20:11 | over 5 years | |
| 5.1.6.2 | MIT | 2019-03-13 - 16:45 | about 5 years | |
| 5.2.1.1 | MIT | 2018-11-27 - 20:13 | over 5 years | |
| 5.2.2.rc1 | MIT | 2018-11-28 - 22:54 | over 5 years | |
| 5.2.2.1 | MIT | 2019-03-13 - 16:47 | about 5 years | |
| 5.2.3 | MIT | 2019-03-28 - 03:02 | about 5 years | |
| 5.2.4.rc1 | MIT | 2019-11-23 - 00:28 | over 4 years | |
| 5.2.3.rc1 | MIT | 2019-03-22 - 03:34 | about 5 years | |
| 5.2.2 | MIT | 2018-12-04 - 18:13 | over 5 years | |
| 5.1.7 | MIT | 2019-03-28 - 02:47 | about 5 years | |
| 5.2.4.3 | MIT | 2020-05-18 - 15:42 | almost 4 years | |
| 5.2.4.4 | MIT | 2020-09-09 - 18:36 | over 3 years | |
| 5.2.4.2 | MIT | 2020-03-19 - 16:37 | about 4 years | |
| 6.0.0.beta2 | MIT | 2019-02-25 - 22:45 | about 5 years | |
| 6.0.0.rc1 | MIT | 2019-04-24 - 18:51 | about 5 years | |
| 6.0.0.rc2 | MIT | 2019-07-22 - 21:10 | almost 5 years | |
| 6.0.0.beta3 | MIT | 2019-03-13 - 17:02 | about 5 years | |
| 6.0.0.beta1 | MIT | 2019-01-18 - 20:46 | over 5 years | |
| 5.2.4.1 | MIT | 2019-12-18 - 19:02 | over 4 years | |
| 6.0.1 | MIT | 2019-11-05 - 14:39 | over 4 years | |
| 6.0.2.rc2 | MIT | 2019-12-09 - 16:12 | over 4 years | |
| 6.0.2 | MIT | 2019-12-13 - 18:20 | over 4 years | |
| 6.0.2.rc1 | MIT | 2019-11-27 - 15:12 | over 4 years |