CVE-2023-42446

2023-09-1822:15:47

CWE-298

CWE-672

GitHub_M

web.nvd.nist.gov

pow

authentication

user management

phoenix

plug

session hijacking

expired keys

mnesiacache

vulnerability

cve-2023-42446

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

23.9%

JSON

Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than a session’s remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.

Affected configurations

Nvd

Vulners

Node

powauthpowRange1.0.14–1.0.34

VendorProductVersionCPE
powauthpow*cpe:2.3:a:powauth:pow:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
powauth	pow	*	cpe:2.3:a:powauth:pow::::::::

CNA Affected

[
  {
    "vendor": "pow-auth",
    "product": "pow",
    "versions": [
      {
        "version": ">= 1.0.14, < 1.0.34",
        "status": "affected"
      }
    ]
  }
]