CVSS v3.x: 5.9 (Medium)
- >= 2.0.0
activerecord-session_store (aka Active Record Session Store) component
through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering
information about whether a guessed session ID is valid. Consequently, remote attackers
can leverage timing discrepancies to achieve a correct guess in a relatively short
amount of time. This is a related issue to CVE-2019-16782.
Users should upgrade to
activerecord-session_store version 2.0.0 or later.