Activerecord-session_store Vulnerable to Timing Attack
Moderate severity
GitHub Reviewed
Published
Mar 9, 2021
to the GitHub Advisory Database
•
Updated Sep 5, 2023
Description
Published by the National Vulnerability Database
Mar 5, 2021
Reviewed
Mar 9, 2021
Published to the GitHub Advisory Database
Mar 9, 2021
Last updated
Sep 5, 2023
The
activerecord-session_store
(aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.Recommendation
This has been fixed in version 2.0.0. All users are advised to update to this version or later.
References