Add CVE-2019-25025 for activerecord-session_store

reedloden · reedloden · commit 54f332070de2 · 2021-03-08T18:04:05.000-08:00
Fixes #462.
diff --git a/gems/activerecord-session_store/CVE-2019-25025.yml b/gems/activerecord-session_store/CVE-2019-25025.yml
@@ -0,0 +1,27 @@
+---
+gem: activerecord-session_store
+cve: 2019-25025
+ghsa: cvw2-xj8r-mjf7
+url: https://github.com/advisories/GHSA-cvw2-xj8r-mjf7
+date: 2021-03-08
+title: activerecord-session_store Timing Attack
+description: |
+  The `activerecord-session_store` (aka Active Record Session Store) component
+  through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering
+  information about whether a guessed session ID is valid. Consequently, remote attackers
+  can leverage timing discrepancies to achieve a correct guess in a relatively short
+  amount of time. This is a related issue to CVE-2019-16782.
+
+  ## Recommendation
+  As of the publishing of this advisory, there is no official fix in place.
+
+  An unofficial fix is described here:
+  https://github.com/rails/activerecord-session_store/pull/151#issuecomment-631705247
+
+cvss_v3: 5.9
+
+related:
+  cve:
+    - 2019-16782
+  url:
+    - https://github.com/rails/activerecord-session_store/pull/151
