Update CVE-2019-25025 for activerecord-session_store now that a fix h…

…as been released (#463)
rubysec · Mar 10, 2021 · 3443c06 · 3443c06
1 parent 54f3320
commit 3443c06
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/gems/activerecord-session_store/CVE-2019-25025.yml b/gems/activerecord-session_store/CVE-2019-25025.yml
@@ -13,15 +13,16 @@ description: |
   amount of time. This is a related issue to CVE-2019-16782.
 
   ## Recommendation
-  As of the publishing of this advisory, there is no official fix in place.
-
-  An unofficial fix is described here:
-  https://github.com/rails/activerecord-session_store/pull/151#issuecomment-631705247
+  Users should upgrade to `activerecord-session_store` version 2.0.0 or later.
 
 cvss_v3: 5.9
 
+patched_versions:
+  - ">= 2.0.0"
+
 related:
   cve:
     - 2019-16782
   url:
     - https://github.com/rails/activerecord-session_store/pull/151
+    - https://github.com/rails/activerecord-session_store/releases/tag/v2.0.0