Lucene search
GoogleOSV:CVE-2023-42446HistorySep 18, 2023 - 10:15 p.m.
CVE-2023-42446
2023-09-1822:15:47
Google
osv.dev
3
cve-2023-42446
pow
phoenix
plug
authentication
user management
session hijacking
expired keys
session expiration
mnesiacache
invalidation
patch
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than a session’s remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
Related
nvd
nvd
CVE-2023-42446
2023-09-18 22:15:47
osv
osv
Pow Mnesia cache doesn't invalidate all expired keys on startup
2023-09-19 17:00:08
prion
prion
Design/Logic Flaw
2023-09-18 22:15:00
cvelist
cvelist
cve
cve
CVE-2023-42446
2023-09-18 22:15:47
github
github
Pow Mnesia cache doesn't invalidate all expired keys on startup
2023-09-19 17:00:08