Vulnerabilities > CVE-2023-42446 - Operation on a Resource after Expiration or Release vulnerability in Powauth POW

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

powauth

CWE-672

NVD

Published: 2023-09-18

Updated: 2023-09-22

Summary

Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.

Vulnerable Configurations

Part	Description	Count
Application	Powauth Powauth POW 1.0.14 Powauth POW 1.0.15 Powauth POW 1.0.16 Powauth POW 1.0.17 Powauth POW 1.0.18 Powauth POW 1.0.19 Powauth POW 1.0.20 Powauth POW 1.0.21 Powauth POW 1.0.22 Powauth POW 1.0.23 Powauth POW 1.0.24 Powauth POW 1.0.25 Powauth POW 1.0.26 Powauth POW 1.0.27 Powauth POW 1.0.28 Powauth POW 1.0.29 Powauth POW 1.0.30 Powauth POW 1.0.31 Powauth POW 1.0.32 Powauth POW 1.0.33	20

Common Weakness Enumeration (CWE)

CWE-672 - Operation on a Resource after Expiration or Release

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References