Broken Access Control vulnerability in Active Job
There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.
Patched versions: >= 4.2.11, < 5.0.0; >= 220.127.116.11, < 5.1.0; >= 18.104.22.168, < 5.2.0; >= 22.214.171.124
Unaffected versions: < 4.2.0
How to test: It's Rails, which is everything, but it's a patch version bump. A quick sanity check on posting and browsing should be enough.
It looks like it might also be broken on subcollection listings (e.g. https://test.archiveofourown.org/collections/yuletide/collections) and work collection lists (e.g. https://test.archiveofourown.org/works/1068646/collections). Might have something to do with Collection.includes(:owners).
It's the bullet gem, enabled only in development and staging, but not on test, otherwise the test suite would have caught the issue.
bullet should be 5.7.3 or later.
Posted a multi-chapter co-authored restricted work with comment moderation. It showed up in listings, wasn't visible to logged out users, and indeed had comments moderated (and comment notifications came through). It could be kudosed. Then I deleted it and got a copy of it that looked fine.
I also changed collection settings and approved/rejected collection items and invitations about a million times and that all went fine.
Have tried various browsing, searching, etc. and nothing is obviously broken