RubyGems - activerecord-session_store - Versions - 1.1.0 - Mend

activerecord-session_store 1.1.0

1 security vulnerability found in version 1.1.0

activerecord-session_store Timing Attack

medium severity CVE-2019-25025

Patched versions: >= 2.0.0

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

Recommendation

Users should upgrade to activerecord-session_store version 2.0.0 or later.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.