Rapid7 Vulnerability & Exploit Database

Ruby on Rails: Deserialization of Untrusted Data (CVE-2018-16476)

Back to Search

Ruby on Rails: Deserialization of Untrusted Data (CVE-2018-16476)

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
11/30/2018
Created
01/23/2020
Added
01/03/2020
Modified
01/03/2020

Description

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

Solution(s)

  • ruby-on-rails-upgrade-4_2_11
  • ruby-on-rails-upgrade-5_0_7_1
  • ruby-on-rails-upgrade-5_1_6_1
  • ruby-on-rails-upgrade-5_2_1_1

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;