Published on: Not Yet Published
Last Modified on: 09/22/2023 02:21:00 PM UTC
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
- CVE-2023-42446 has been assigned by security-adviso[email protected] to track the vulnerability - currently rated as MEDIUM severity.
- Affected Vendor/Software: pow-auth - pow version = >= 1.0.14, < 1.0.34
CVSS3 Score: 6.5 - MEDIUM
|Persistence of stale session ids in MnesiaCache · Issue #713 · pow-auth/pow · GitHub|| github.com |
|Pow Mnesia cache doesn't invalidate all expired keys on startup · Advisory · pow-auth/pow · GitHub|| github.com |
Known Affected Configurations (CPE V2.3)