Add CVE-2018-16476 (ActiveJob) (#372)

greysteil · reedloden · commit 8cecd5001d75 · 2018-11-27T19:23:23.000-08:00
Add CVE-2018-16476 for ActiveJob
diff --git a/gems/activejob/CVE-2018-16476.yml b/gems/activejob/CVE-2018-16476.yml
@@ -0,0 +1,35 @@
+---
+gem: activejob
+cve: 2018-16476
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
+title: Broken Access Control vulnerability in Active Job
+date: 2018-11-27
+
+description: |
+  There is a vulnerability in Active Job. This vulnerability has been
+  assigned the CVE identifier CVE-2018-16476.
+
+  Versions Affected: >= 4.2.0
+  Not affected: < 4.2.0
+  Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
+
+  Impact
+  ------
+  Carefully crafted user input can cause Active Job to deserialize it using GlobalId
+  and allow an attacker to have access to information that they should not have.
+
+  Vulnerable code will look something like this:
+
+      MyJob.perform_later(user_input)
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+unaffected_versions:
+  - "< 4.2.0"
+
+patched_versions:
+  - "~> 4.2.11"
+  - "~> 5.0.7.1"
+  - "~> 5.1.6.1"
+  - ">= 5.2.1.1"
