CVE-2020-5205 – pow

Package

Manager: erlang
Name: pow
Vulnerable Version: >=0 <1.0.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00302 pctl0.53047

Details

Session fixation ### Impact The use of `Plug.Session` in `Pow.Plug.Session` is susceptible to session fixation attacks if a persistent session store is used for `Plug.Session`, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability. ### Workarounds Call `Plug.Conn.configure_session(conn, renew: true)` periodically and after privilege change. A custom authorization plug can be written where the `create/3` method should return the `conn` only after `Plug.Conn.configure_session/2` have been called on it. ### References https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f https://www.owasp.org/index.php/Session_fixation

Metadata

Created: 2022-04-12T21:27:49Z
Modified: 2022-04-12T21:27:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-v2wf-c3j6-wpvw/GHSA-v2wf-c3j6-wpvw.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-v2wf-c3j6-wpvw
Finding: F280
Auto approve: 1