Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2019-25025

Related Vulnerabilities: CVE-2019-25025  

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

Source

Description

The MITRE CVE dictionary describes this issue as:

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

Additional Information

  • Bugzilla 1935724: CVE-2019-25025 rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • FAQ: Frequently asked questions about CVE-2019-25025

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started