GHSA-v2wf-c3j6-wpvw

Suggest an improvement
Source
https://github.com/advisories/GHSA-v2wf-c3j6-wpvw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-v2wf-c3j6-wpvw/GHSA-v2wf-c3j6-wpvw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v2wf-c3j6-wpvw
Aliases
Published
2022-04-12T21:27:49Z
Modified
2023-11-08T04:03:51.191426Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Session fixation
Details

Impact

The use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability.

Workarounds

Call Plug.Conn.configure_session(conn, renew: true) periodically and after privilege change. A custom authorization plug can be written where the create/3 method should return the conn only after Plug.Conn.configure_session/2 have been called on it.

References

https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f
https://www.owasp.org/index.php/Session_fixation

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2022-04-12T21:27:49Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-384"
    ]
}
References

Affected packages

Hex / pow

Package

Name
pow
Purl
pkg:hex/pow

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.16