RubySec

Providing security resources for the Ruby community

CVE-2019-25025 (activerecord-session_store): activerecord-session_store Timing Attack

ADVISORIES

GEM

activerecord-session_store

SEVERITY

CVSS v3: 5.9

PATCHED VERSIONS

  • >= 2.0.0

DESCRIPTION

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

Recommendation

Users should upgrade to activerecord-session_store version 2.0.0 or later.