A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
Created rubygem-activejob tracking bugs for this issue:
Affects: fedora-all [bug 1659224]
RHSCL is vulnerable. Here's an example of what the input looks like before and after serialization & deserialization:
This issue has been addressed in the following products:
CloudForms Management Engine 5.9
Via RHSA-2019:0600 https://access.redhat.com/errata/RHSA-2019:0600