The activerecord-session_store
(aka Active Record Session Store) component
through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering
information about whether a guessed session ID is valid. Consequently, remote attackers
can leverage timing discrepancies to achieve a correct guess in a relatively short
amount of time. This is a related issue to CVE-2019-16782.
Users should upgrade to activerecord-session_store
version 2.0.0 or later.
CPE | Name | Operator | Version |
---|---|---|---|
activerecord-session_store | lt | 2.0.0 |