CVE-2018-16476 High Severity Vulnerability detected by WhiteSource

Question

CVE-2018-16476 High Severity Vulnerability detected by WhiteSource

mend-bolt-for-github opened this issue 5 years ago · comments

mend-bolt-for-github commented 5 years ago

CVE-2018-16476 - High Severity Vulnerability

Vulnerable Library - rails-4.2.5.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

path: /gems/2.3.0/cache/rails-4.2.5.gem

Library home page: https://rubygems.org/gems/rails-4.2.5.gem

Dependency Hierarchy:

❌ rails-4.2.5.gem (Vulnerable Library)

Vulnerability Details

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.

Publish Date: 2018-11-30

URL: CVE-2018-16476

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/forum/#!msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ

Release Date: 2019-02-09

Fix Resolution: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Step up your Open Source Security Game with WhiteSource here

Vlad Arbatov · Answer 1 · Sun Feb 24 2019 16:17:09 GMT+0800 (China Standard Time)

Fixed in ffe23b0