CVE-2019-25025
First published: Fri Mar 05 2021(Updated: )
The `activerecord-session_store` (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782. ## Recommendation This has been fixed in version 2.0.0. All users are advised to update to this version or later.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <=1.1.3 | ||
| rubygems/activerecord-session_store | <=1.1.3 | 2.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-25025
- https://github.com/rails/activerecord-session_store/pull/151
- https://rubygems.org/gems/activerecord-session_store
- https://github.com/rails/activerecord-session_store/commit/9d4dd113d3010b82daaadf0b0ee6b9fb2afb2160
- https://github.com/rails/activerecord-session_store/releases/tag/v2.0.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/activerecord-session_store/CVE-2019-25025.yml
- https://github.com/advisories/GHSA-cvw2-xj8r-mjf7 (Advisory)
- https://access.redhat.com/security/cve/CVE-2019-16782
- https://access.redhat.com/errata/RHSA-2021:4702
- https://bugzilla.redhat.com/show_bug.cgi?id=1935724
Frequently Asked Questions
What is CVE-2019-25025?
CVE-2019-25025 is a vulnerability in the activerecord-session_store component for Ruby on Rails that allows remote attackers to exploit timing discrepancies to determine the validity of guessed session IDs.
How severe is CVE-2019-25025?
CVE-2019-25025 has a severity rating of 5.3 (Medium).
What software is affected by CVE-2019-25025?
The activerecord-session_store component through version 1.1.3 for Ruby on Rails is affected.
How can I fix CVE-2019-25025?
To fix CVE-2019-25025, upgrade the activerecord-session_store component to version 2.0.0 or newer.
Where can I find more information about CVE-2019-25025?
More information about CVE-2019-25025 can be found at the following references: [link1], [link2], [link3].
- collector/github-advisory-latest
- alias/GHSA-cvw2-xj8r-mjf7
- alias/CVE-2019-25025
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/weakness
- agent/severity
- agent/references
- agent/remedy
- collector/github-advisory
- source/GitHub
- agent/software-canonical-lookup
- agent/description
- collector/nvd-cve
- source/NVD
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/rubygems
- vendor/rubyonrails
- canonical/rubyonrails active record session store
- version/rubyonrails active record session store/1.1.3