Ruby/activejob/5.0.1

Declare job classes that can be run by a variety of queuing backends.

Repo Link: https://rubygems.org/gems/activejob
License: MIT

2 Security Vulnerabilities

Improper Access Control in activejob

Published date: 2018-12-05T17:24:27Z

CVE: CVE-2018-16476

Links:

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.

Affected versions: ["5.2.1", "5.2.0", "5.2.1.rc1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4.rc1", "5.1.3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.0", "5.1.4", "5.1.3.rc3", "5.1.2.rc1", "5.1.1", "5.0.7", "5.0.6", "5.0.4", "5.0.3", "5.0.1.rc2", "5.0.0.1", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4.rc1", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc1", "5.0.0", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.8", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6.rc1", "4.2.5", "4.2.5.rc1", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1.rc3", "4.2.1.rc1", "4.2.0", "4.2.10", "4.2.9.rc1", "4.2.8.rc1", "4.2.6", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.4", "4.2.3", "4.2.1", "4.2.1.rc4", "4.2.1.rc2"]

Secure versions: [0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 5.0.7.1, 5.0.7.2, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.1.1, 5.2.2, 5.2.2.1, 5.2.2.rc1, 5.2.3, 5.2.3.rc1, 5.2.4, 5.2.4.1, 5.2.4.2, 5.2.4.3, 5.2.4.4, 5.2.4.5, 5.2.4.6, 5.2.4.rc1, 5.2.5, 5.2.6, 5.2.6.1, 5.2.6.2, 5.2.6.3, 5.2.7, 5.2.7.1, 5.2.8, 5.2.8.1, 6.0.0, 6.0.0.beta1, 6.0.0.beta2, 6.0.0.beta3, 6.0.0.rc1, 6.0.0.rc2, 6.0.1, 6.0.1.rc1, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.rc1, 6.0.2.rc2, 6.0.3, 6.0.3.1, 6.0.3.2, 6.0.3.3, 6.0.3.4, 6.0.3.5, 6.0.3.6, 6.0.3.7, 6.0.3.rc1, 6.0.4, 6.0.4.1, 6.0.4.2, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.4.6, 6.0.4.7, 6.0.4.8, 6.0.5, 6.0.5.1, 6.0.6, 6.0.6.1, 6.1.0, 6.1.0.rc1, 6.1.0.rc2, 6.1.1, 6.1.2, 6.1.2.1, 6.1.3, 6.1.3.1, 6.1.3.2, 6.1.4, 6.1.4.1, 6.1.4.2, 6.1.4.3, 6.1.4.4, 6.1.4.5, 6.1.4.6, 6.1.4.7, 6.1.5, 6.1.5.1, 6.1.6, 6.1.6.1, 6.1.7, 6.1.7.1, 6.1.7.10, 6.1.7.2, 6.1.7.3, 6.1.7.4, 6.1.7.5, 6.1.7.6, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.1, 7.0.2, 7.0.2.1, 7.0.2.2, 7.0.2.3, 7.0.2.4, 7.0.3, 7.0.3.1, 7.0.4, 7.0.4.1, 7.0.4.2, 7.0.4.3, 7.0.5, 7.0.5.1, 7.0.6, 7.0.7, 7.0.7.1, 7.0.7.2, 7.0.8, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.1, 7.1.2, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2]

Recommendation: Update to version 8.0.2.

Broken Access Control vulnerability in Active Job

Published date: 2018-11-27

Framework: rails

CVE: 2018-16476

CVSS V3: 7.5

Links:

https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected versions: ["5.2.1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.0.7", "5.0.6", "5.0.4", "5.0.3", "5.0.1.rc2", "5.0.0.1", "5.0.0.rc2", "5.0.0.beta4", "5.2.1.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4.rc1", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc1", "5.0.0", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1"]

Recommendation: Update to version 8.0.2.

248 Other Versions

Version	License	Released
8.0.2	MIT	2025-03-12 - 03:08	4 months
8.0.1	MIT	2024-12-13 - 20:02	7 months
8.0.0.1	MIT	2024-12-10 - 21:46	7 months
8.0.0	MIT	2024-11-07 - 22:30	8 months
8.0.0.rc2	MIT	2024-10-30 - 00:31	8 months
8.0.0.rc1	MIT	2024-10-19 - 01:43	8 months
8.0.0.beta1	MIT	2024-09-26 - 15:05	9 months
7.2.2.1	MIT	2024-12-10 - 21:42	7 months
7.2.2	MIT	2024-10-31 - 01:47	8 months
7.2.1.2	MIT	2024-10-23 - 22:34	8 months
7.2.1.1	MIT	2024-10-15 - 20:46	9 months
7.2.1	MIT	2024-08-22 - 19:46	10 months
7.2.0	MIT	2024-08-09 - 23:27	11 months
7.2.0.rc1	MIT	2024-08-06 - 17:01	11 months
7.2.0.beta3	MIT	2024-07-11 - 15:20	12 months
7.2.0.beta2	MIT	2024-06-04 - 18:14	about 1 year
7.2.0.beta1	MIT	2024-05-29 - 23:38	about 1 year
7.1.5.1	MIT	2024-12-10 - 21:27	7 months
7.1.5	MIT	2024-10-31 - 01:34	8 months
7.1.4.2	MIT	2024-10-23 - 22:29	8 months
7.1.4.1	MIT	2024-10-15 - 20:40	9 months
7.1.4	MIT	2024-08-22 - 21:27	10 months
7.1.3.4	MIT	2024-06-04 - 18:00	about 1 year
7.1.3.3	MIT	2024-05-16 - 19:22	about 1 year
7.1.3.2	MIT	2024-02-21 - 21:46	over 1 year
7.1.3.1	MIT	2024-02-21 - 18:46	over 1 year
7.1.3	MIT	2024-01-16 - 22:55	over 1 year
7.1.2	MIT	2023-11-10 - 21:51	over 1 year
7.1.1	MIT	2023-10-11 - 22:18	over 1 year
7.1.0	MIT	2023-10-05 - 08:07	over 1 year
7.1.0.rc2	MIT	2023-10-01 - 22:00	over 1 year
7.1.0.rc1	MIT	2023-09-27 - 04:02	almost 2 years
7.1.0.beta1	MIT	2023-09-13 - 00:40	almost 2 years
7.0.8.7	MIT	2024-12-10 - 21:22	7 months
7.0.8.6	MIT	2024-10-23 - 22:23	8 months
7.0.8.5	MIT	2024-10-15 - 20:28	9 months
7.0.8.4	MIT	2024-06-04 - 17:56	about 1 year
7.0.8.3	MIT	2024-05-17 - 19:53	about 1 year
7.0.8.2	MIT	2024-05-16 - 18:58	about 1 year
7.0.8.1	MIT	2024-02-21 - 18:42	over 1 year
7.0.8	MIT	2023-09-09 - 19:13	almost 2 years
7.0.7.2	MIT	2023-08-22 - 20:10	almost 2 years
7.0.7.1	MIT	2023-08-22 - 17:20	almost 2 years
7.0.7	MIT	2023-08-09 - 23:57	almost 2 years
7.0.6	MIT	2023-06-29 - 20:56	about 2 years
7.0.5.1	MIT	2023-06-26 - 21:42	about 2 years
7.0.5	MIT	2023-05-24 - 19:12	about 2 years
7.0.4.3	MIT	2023-03-13 - 18:53	over 2 years
7.0.4.2	MIT	2023-01-25 - 03:14	over 2 years
7.0.4.1	MIT	2023-01-17 - 18:55	over 2 years