From 7b6a0c7ce128049a0ca75a81b0784c3b06e47158 Mon Sep 17 00:00:00 2001 From: Grey Baker Date: Tue, 27 Nov 2018 22:26:54 +0000 Subject: [PATCH 1/2] Add CVE-2018-16476 (ActiveJob) --- gems/activejob/CVE-2018-16476.yml | 60 +++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 gems/activejob/CVE-2018-16476.yml diff --git a/gems/activejob/CVE-2018-16476.yml b/gems/activejob/CVE-2018-16476.yml new file mode 100644 index 0000000000..ac69bf2e3a --- /dev/null +++ b/gems/activejob/CVE-2018-16476.yml @@ -0,0 +1,60 @@ +--- +gem: activejob +cve: 2018-16476 +url: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw +title: Broken Access Control vulnerability in Active Job +date: 2018-11-27 + +description: | + There is a vulnerability in Active Job. This vulnerability has been + assigned the CVE identifier CVE-2018-16476. + + Versions Affected: >= 4.2.0 + Not affected: < 4.2.0 + Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 + + Impact + ------ + Carefully crafted user input can cause Active Job to deserialize it using GlobalId + and allow an attacker to have access to information that they should not have. + + Vulnerable code will look something like this: + + MyJob.perform_later(user_input) + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + Putting the following monkey patch in an intializer can help to mitigate the issue: + + ``` + require 'active_job' + require 'active_job/arguments' + + module ArgumentsNotDeserializingGlobalId + def deserialize_argument(argument) + case argument + when String + argument + else + super + end + end + end + + ActiveJob::Arguments.singleton_class.prepend(ArgumentsNotDeserializingGlobalId) + ``` +unaffected_versions: + - "< 4.2.0" + +patched_versions: + - ">= 4.2.11, < 5.0.0" + - ">= 5.0.7.1, < 5.1.0" + - ">= 5.1.6.1, < 5.2.0" + - ">= 5.2.1.1" From 52b6175d3e6c017a673114cfc72eed595e6fb583 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Tue, 27 Nov 2018 19:18:23 -0800 Subject: [PATCH 2/2] Update CVE-2018-16476.yml --- gems/activejob/CVE-2018-16476.yml | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/gems/activejob/CVE-2018-16476.yml b/gems/activejob/CVE-2018-16476.yml index ac69bf2e3a..96d43df3d1 100644 --- a/gems/activejob/CVE-2018-16476.yml +++ b/gems/activejob/CVE-2018-16476.yml @@ -25,36 +25,11 @@ description: | All users running an affected release should either upgrade or use one of the workarounds immediately. - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - Putting the following monkey patch in an intializer can help to mitigate the issue: - - ``` - require 'active_job' - require 'active_job/arguments' - - module ArgumentsNotDeserializingGlobalId - def deserialize_argument(argument) - case argument - when String - argument - else - super - end - end - end - - ActiveJob::Arguments.singleton_class.prepend(ArgumentsNotDeserializingGlobalId) - ``` unaffected_versions: - "< 4.2.0" patched_versions: - - ">= 4.2.11, < 5.0.0" - - ">= 5.0.7.1, < 5.1.0" - - ">= 5.1.6.1, < 5.2.0" + - "~> 4.2.11" + - "~> 5.0.7.1" + - "~> 5.1.6.1" - ">= 5.2.1.1"