You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Activerecord-session_store Vulnerable to Timing Attack
Moderate severity
GitHub Reviewed
Published
Mar 9, 2021
to the GitHub Advisory Database
•
Updated Sep 5, 2023
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.
Recommendation
This has been fixed in version 2.0.0. All users are advised to update to this version or later.
The
activerecord-session_store
(aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.Recommendation
This has been fixed in version 2.0.0. All users are advised to update to this version or later.
References