VDB

CVE-2019-25025

CVE-2019-25025 PUBLISHED

The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.

EPSS 0.14% · 33.3th percentile

Risk Scores

EPSS Score
0.14%
33.3th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTSruby-activerecord-session-store0, 1.0.0-2
Ubuntu:16.04:LTSruby-activerecord-session-store0, 0.1.1-3, 0.1.1-2

Timeline

  • Mar 5, 2021 CVE Published
  • Mar 5, 2021 PoC Published
  • Mar 15, 2021 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›