Add CVE-2019-25025 for activerecord-session_store #462
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hey! Thanks for the submission. Can you provide us with affected versions? Cheers, |
|
All, I believe, or certainly the most recent at least, it's unpatched: rails/activerecord-session_store#151 I haven't dug back through to see how long ago this was introduced. |
|
Do we have GitHub advisory page for CVE-2019-25025 with all the information? |
|
We do now have a GHSA for this CVE: GHSA-cvw2-xj8r-mjf7. Thank you for raising this, and please let me know in this thread if any info in that advisory should be changed. |
pezholio
added a commit
to dxw/transition
that referenced
this pull request
Mar 9, 2021
This addresses CVE-2019-16782 There has been a vulnerability in the wild[1] around session hijacks in Rack and related frameworks for a while now, but this has been fixed in Rack and Rails for a while now. There's a fix for the upstream version of ActiverecordSessionStore since late 2019[2], but this hasn't been merged yet. We weren't aware of this issue until recently, as it's only just been added to the Ruby Advisory DB[3] This uses a fork of the upstream gem, as suggested in the original PR[4] to fix the immediate issue. [1] https://nvd.nist.gov/vuln/detail/CVE-2019-16782 [2] rails/activerecord-session_store#151 [3] rubysec/ruby-advisory-db#462 [4] rails/activerecord-session_store#151 (comment)
pezholio
added a commit
to dxw/transition
that referenced
this pull request
Mar 9, 2021
This addresses CVE-2019-16782 There has been a [vulnerability in the wild][1] around session hijacks in Rack and related frameworks for a while now, but this has been fixed in Rack and Rails for a while now. There's a [fix for the upstream version of ActiverecordSessionStore since late 2019][2], but this hasn't been merged yet. We weren't aware of this issue until recently, as it's only [just been added to the Ruby Advisory DB][3] This uses a fork of the upstream gem, [as suggested in the original PR][4] to fix the immediate issue. [1] https://nvd.nist.gov/vuln/detail/CVE-2019-16782 [2] rails/activerecord-session_store#151 [3] rubysec/ruby-advisory-db#462 [4] rails/activerecord-session_store#151 (comment)
pezholio
added a commit
to dxw/transition
that referenced
this pull request
Mar 9, 2021
This addresses CVE-2019-16782 There has been a [vulnerability in the wild][1] around session hijacks in Rack and related frameworks for a while now, but this has been fixed in Rack and Rails for a while now. There's a [fix for the upstream version of ActiverecordSessionStore since late 2019][2], but this hasn't been merged yet. We weren't aware of this issue until recently, as it's only [just been added to the Ruby Advisory DB][3] This uses a fork of the upstream gem, [as suggested in the original PR][4] to fix the immediate issue. [1]:https://nvd.nist.gov/vuln/detail/CVE-2019-16782 [2]:rails/activerecord-session_store#151 [3]:rubysec/ruby-advisory-db#462 [4]:rails/activerecord-session_store#151 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.