Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zY2poLXA2cHctamh2Oc4AA18e
Pow Mnesia cache doesn't invalidate all expired keys on startup
Use of Pow.Store.Backend.MnesiaCache
is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A cache key may become expired when all Pow.Store.Backend.MnesiaCache
instances have been shut down for a period that is longer than the keys' remaining TTL and the expired key won't be invalidated on startups.
Workarounds
The expired keys, including all expired sessions, can be manually invalidated by running:
:mnesia.sync_transaction(fn ->
Enum.each(:mnesia.dirty_select(Pow.Store.Backend.MnesiaCache, [{{Pow.Store.Backend.MnesiaCache, :_, :_}, [], [:"$_"]}]), fn {_, key, {_value, expire}} ->
ttl = expire - :os.system_time(:millisecond)
if ttl < 0, do: :mnesia.delete({Pow.Store.Backend.MnesiaCache, key})
end)
end)
References
https://github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17
https://github.com/pow-auth/pow/issues/713
https://github.com/pow-auth/pow/pull/714
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zY2poLXA2cHctamh2Oc4AA18e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-3cjh-p6pw-jhv9, CVE-2023-42446
References:
- https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9
- https://nvd.nist.gov/vuln/detail/CVE-2023-42446
- https://github.com/pow-auth/pow/issues/713
- https://github.com/pow-auth/pow/pull/714
- https://github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17
- https://github.com/advisories/GHSA-3cjh-p6pw-jhv9
Blast Radius: 15.5
Affected Packages
hex:pow
Dependent packages: 8Dependent repositories: 246
Downloads: 1,354,250 total
Affected Version Ranges: >= 1.0.14, < 1.0.34
Fixed in: 1.0.34
All affected versions: 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26, 1.0.27, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.32, 1.0.33
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.34, 1.0.35, 1.0.36, 1.0.37, 1.0.38