CVE-2023-42446

2023-09-1822:15:47

CWE-298

CWE-672

[email protected]

web.nvd.nist.gov

pow

authentication

user management

phoenix

plug

session hijacking

expired keys

mnesiacache

vulnerability

cve-2023-42446

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

16.1%

JSON

Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than a session’s remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.

Affected configurations

Vulners

NVD

Node

pow-authpowRange1.0.14–1.0.34

CPENameOperatorVersion
powauth:powpowauth powlt1.0.34

CPE	Name	Operator	Version
powauth:pow	powauth pow	lt	1.0.34

CNA Affected

[
  {
    "vendor": "pow-auth",
    "product": "pow",
    "versions": [
      {
        "version": ">= 1.0.14, < 1.0.34",
        "status": "affected"
      }
    ]
  }
]