VYPR
← All advisories
High severityNVD Advisory· Published Nov 30, 2018· Updated Aug 5, 2024

CVE-2018-16476

CVE-2018-16476

Description

Active Job versions >=4.2.0 have a broken access control vulnerability allowing attackers to deserialize arbitrary objects via GlobalId, leading to information exposure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Active Job versions >=4.2.0 have a broken access control vulnerability allowing attackers to deserialize arbitrary objects via GlobalId, leading to information exposure.

Vulnerability

A broken access control vulnerability exists in Active Job versions >=4.2.0 and before the fixed versions (4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1). The bug allows an attacker to craft user input that, when processed by Active Job, causes deserialization using GlobalId, bypassing intended access controls. This affects the deserialization of job arguments. [1]

Exploitation

An attacker needs to supply malicious input that Active Job will deserialize using GlobalId. The input can be provided via job arguments if the attacker can control them (e.g., through a web application that enqueues jobs with user-supplied parameters). No authentication is required if the input reaches the deserialization path. The attacker crafts a GlobalId string pointing to an object they should not have access to, which is then deserialized. [1][4]

Impact

Successful exploitation leads to information exposure, allowing the attacker to access objects and data they are not authorized to see. The impact is limited to information disclosure; remote code execution is not reported. The vulnerability is rated as moderate severity by Red Hat. [1][2]

Mitigation

The vulnerability is fixed in Active Job versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1. Users should upgrade to one of these versions or later. Red Hat has released an advisory (RHSA-2019:0600) for CloudForms users. No workaround is available. [1][2][4]

References
  1. NVD - CVE-2018-16476
  2. https://access.redhat.com/errata/RHSA-2019:0600
  3. ruby-advisory-db/gems/activejob/CVE-2018-16476.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activejobRubyGems
>= 4.2.0, < 4.2.114.2.11
activejobRubyGems
>= 5.0.0, < 5.0.7.15.0.7.1
activejobRubyGems
>= 5.1.0, < 5.1.6.15.1.6.1
activejobRubyGems
>= 5.2.0, < 5.2.1.15.2.1.1

Affected products

5

Patches

1
970b0d754be7

Do not deserialize GlobalID objects that were not generated by Active Job

https://github.com/rails/railsRafael Mendonça FrançaSep 5, 2018via ghsa
commit
2 files changed · +5 1
  • activejob/lib/active_job/arguments.rb+1 1 modified
    @@ -77,7 +77,7 @@ def serialize_argument(argument)
       def deserialize_argument(argument)
         case argument
         when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
         when *TYPE_WHITELIST
           argument
         when Array
  • activejob/test/cases/argument_serialization_test.rb+4 0 modified
    @@ -37,6 +37,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
     assert_arguments_roundtrip [@person]
   end
 
+  test "should keep Global IDs strings as they are" do
+    assert_arguments_roundtrip [@person.to_gid.to_s]
+  end
+
   test "should dive deep into arrays and hashes" do
     assert_arguments_roundtrip [3, [@person]]
     assert_arguments_roundtrip [{ "a" => @person }]

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.