CVE-2019-25025

Published about 1 month ago
Category: Session Setting
Source: GitHub
Severity: Moderate

Vulnerability in activerecord-session_store

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

Recommendation

As of the publishing of this advisory, there is no official fix in place.

An unofficial fix is described here: https://github.com/rails/activerecord-session_store/pull/151#issuecomment-631705247

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 2.0.0

Unaffected Versions

n/a

References

n/a