GoogleOSV:GHSA-CVW2-XJ8R-MJF7Activerecord-session_store Vulnerable to Timing Attack
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
64.4%
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.
Recommendation
This has been fixed in version 2.0.0. All users are advised to update to this version or later.
References
github.com/rails/activerecord-session_store
github.com/rails/activerecord-session_store/commit/9d4dd113d3010b82daaadf0b0ee6b9fb2afb2160
github.com/rails/activerecord-session_store/pull/151
github.com/rails/activerecord-session_store/releases/tag/v2.0.0
github.com/rubysec/ruby-advisory-db/blob/master/activerecord-session_store/CVE-2019-25025.yml
nvd.nist.gov/vuln/detail/CVE-2019-25025
rubygems.org/gems/activerecord-session_store
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
64.4%