From adc4cf17d0c675a5748425528410d8b891f9b39e Mon Sep 17 00:00:00 2001
From: James 'zofrex' Sanderson <zofrex@gmail.com>
Date: Fri, 5 Mar 2021 08:56:09 +0000
Subject: [PATCH] Add CVE-2019-25025 for activerecord-session_store

---
 .../CVE-2019-25025.yml                        | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 gems/activerecord-session_store/CVE-2019-25025.yml

diff --git a/gems/activerecord-session_store/CVE-2019-25025.yml b/gems/activerecord-session_store/CVE-2019-25025.yml
new file mode 100644
index 0000000000..33c7e83e13
--- /dev/null
+++ b/gems/activerecord-session_store/CVE-2019-25025.yml
@@ -0,0 +1,19 @@
+---
+gem: activerecord-session_store
+cve: 2019-25025
+date: 2019-12-22
+url: https://github.com/rails/activerecord-session_store/pull/151
+title: |
+  Activerecord-session_store Timing Attack
+
+description: |
+  The activerecord-session_store (aka Active Record Session Store) component
+  through 1.1.3 for Ruby on Rails does not use a constant-time approach when
+  delivering information about whether a guessed session ID is valid.
+  Consequently, remote attackers can leverage timing discrepancies to achieve a
+  correct guess in a relatively short amount of time. This is a related issue to
+  CVE-2019-16782.
+
+related:
+  cve:
+    - 2019-16782