WEB APPLICATION VULNERABILITIES Standard & Premium

Ruby on Rails Deserialization of Untrusted Data Vulnerability (CVE-2018-16476)

Description

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

Remediation

References

Related Vulnerabilities

Oracle Database Server Other Vulnerability (CVE-1999-0888)

MediaWiki Improper Input Validation Vulnerability (CVE-2011-1579)

WordPress Plugin Category List Portfolio Page TimThumb Arbitrary File Upload (1.2.3)

PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-10545)

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.9)

Severity

High

Classification

CVE-2018-16476 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities