activejob is vulnerable to information disclosure. A lack of validation in the deserialize_argument
function in arguments.rb
allows remote attackers access to information that is otherwise not accessible when deserializing GlobalID
objects that were not generated by Active Jobs.
access.redhat.com/errata/RHSA-2019:0600
github.com/rails/rails/commit/72300f9742745f9535b06d45a9632e948ed7d79b
github.com/rubysec/ruby-advisory-db/pull/372/commits/7b6a0c7ce128049a0ca75a81b0784c3b06e47158
groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/