CVE-2019-25025 — MEDIUM (5.3)

Q: How severe is CVE-2019-25025?

CVE-2019-25025 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-25025?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Active Record Session Store.

Vulnerability Description

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Rubyonrails	Active Record Session Store	<= 1.1.3

References

https://github.com/rails/activerecord-session_store/pull/151PatchThird Party Advisory
https://github.com/rails/activerecord-session_store/pull/151PatchThird Party Advisory

FAQ

What is CVE-2019-25025?

CVE-2019-25025 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed ses...

How severe is CVE-2019-25025?

CVE-2019-25025 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25025?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Active Record Session Store.