PT-2018-3368 · Ruby On Rails+1 · Active Job+1

Rafael Mendonça França

Publicado

2018-11-27

Atualizado

2019-10-09

CVE-2018-16476

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Active Job versions 4.2.0 through 4.2.10 Active Job versions 5.0.0 through 5.0.7 Active Job versions 5.1.0 through 5.1.6 Active Job versions 5.2.0 through 5.2.1

Description: A Broken Access Control issue allows an attacker to craft user input that can cause Active Job to deserialize it using GlobalId, giving them access to information they should not have. This issue is related to the deserialization of untrusted data, which can lead to unauthorized access to confidential data.

Recommendations: For versions 4.2.0 through 4.2.10, update to version 4.2.11. For versions 5.0.0 through 5.0.7, update to version 5.0.7.1. For versions 5.1.0 through 5.1.6, update to version 5.1.6.1. For versions 5.2.0 through 5.2.1, update to version 5.2.1.1.

Exploit

Correção

Deserialization of Untrusted Data

Improper Access Control

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502CWE-284

Identificadores relacionados

BDU:2020-00686

CVE-2018-16476

GHSA-Q2QW-RMRH-VV42

OPENSUSE-SU-2018_4041-1

OPENSUSE-SU-2024:11322-1

OPENSUSE-SU-2024:11347-1

RHSA-2019:0600

SUSE-SU-2018:3996-1

SUSE-SU-2018_3996-1

SUSE-SU-2019:0152-1

Produtos afetados

Active Job

Suse

PT-2018-3368 · Ruby On Rails+1 · Active Job+1

CVE-2018-16476

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 24