CVE-2023-42446

Description

Use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A cache key may become expired when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than the keys' remaining TTL and the expired key won't be invalidated on startups. ### Workarounds The expired keys, including all expired sessions, can be manually invalidated by running: ```elixir :mnesia.sync_transaction(fn -> Enum.each(:mnesia.dirty_select(Pow.Store.Backend.MnesiaCache, [{{Pow.Store.Backend.MnesiaCache, :_, :_}, [], [:"$_"]}]), fn {_, key, {_value, expire}} -> ttl = expire - :os.system_time(:millisecond) if ttl < 0, do: :mnesia.delete({Pow.Store.Backend.MnesiaCache, key}) end) end) ``` ### References https://github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17 https://github.com/pow-auth/pow/issues/713 https://github.com/pow-auth/pow/pull/714

How to fix CVE-2023-42446

To remediate CVE-2023-42446, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.34 or later

Is CVE-2023-42446 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.0.14, < 1.0.34

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-42446
• PATCHgithub.com/pow-auth/pow
• WEBgithub.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17
• WEBgithub.com/pow-auth/pow/issues/713
• WEB