CVE-2019-25025

NameCVE-2019-25025
DescriptionThe activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-activerecord-session-store (PTS)stretch1.0.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-activerecord-session-storesource(unstable)(unfixed)

Notes

[stretch] - ruby-activerecord-session-store <ignored> (No reverse dependencies)
https://bugzilla.redhat.com/show_bug.cgi?id=1935724
https://github.com/rails/activerecord-session_store/pull/151

Search for package or bug name: Reporting problems