A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. References: https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
Created rubygem-activejob tracking bugs for this issue: Affects: fedora-all [bug 1659224]
RHSCL is vulnerable. Here's an example of what the input looks like before and after serialization & deserialization: ``` (["gid://poc/Person/5"]) ``` => ``` ([#<Person:0x0000000001616ce0 @id="5">]). ```
This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2019:0600 https://access.redhat.com/errata/RHSA-2019:0600