activerecord-session_store 1.0.0.pre
1 security vulnerability
found in version
1.0.0.pre
activerecord-session_store Timing Attack
medium severity CVE-2019-25025
medium severity
CVE-2019-25025
Patched versions:
>= 2.0.0
The activerecord-session_store
(aka Active Record Session Store) component
through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering
information about whether a guessed session ID is valid. Consequently, remote attackers
can leverage timing discrepancies to achieve a correct guess in a relatively short
amount of time. This is a related issue to CVE-2019-16782.
Recommendation
Users should upgrade to activerecord-session_store
version 2.0.0 or later.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.