Vulnerability Description
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Powauth | Pow | >= 1.0.14, < 1.0.34 |
Related Weaknesses (CWE)
References
- https://github.com/pow-auth/pow/issues/713ExploitIssue Tracking
- https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9Vendor Advisory
- https://github.com/pow-auth/pow/issues/713ExploitIssue Tracking
- https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9Vendor Advisory
FAQ
What is CVE-2023-42446?
CVE-2023-42446 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to s...
How severe is CVE-2023-42446?
CVE-2023-42446 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-42446?
Check the references section above for vendor advisories and patch information. Affected products include: Powauth Pow.