CVE-2019-25025

Опубликовано: 22 дек. 2019

Источник: redhat

CVSS3: 5.3

Описание

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

A flaw was found in the activerecord-session_store (Active Record Session Store) component through version 1.1.3 for Ruby on Rails where it does not use a constant time approach when delivering information about whether a guessed session ID is valid. This flaw allows remote attackers to leverage timing discrepancies to achieve a correct guess in a relatively short amount of time.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5	cfme-gemset	Will not fix
Red Hat Satellite 6.10 for RHEL 7	tfm-rubygem-activerecord-session_store	Fixed	RHSA-2021:4702	16.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-200

https://bugzilla.redhat.com/show_bug.cgi?id=1935724rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2019-25025

CVSS3: 5.3

ubuntu

почти 5 лет назад

CVE-2019-25025

CVSS3: 5.3

nvd

почти 5 лет назад

CVE-2019-25025

CVSS3: 5.3

debian

почти 5 лет назад

The activerecord-session_store (aka Active Record Session Store) compo ...

GHSA-cvw2-xj8r-mjf7

CVSS3: 5.3

github

почти 5 лет назад

Activerecord-session_store Vulnerable to Timing Attack

5.3 Medium

CVSS3