CVE-2023-42446
CVE-2023-42446 is a medium-severity vulnerability in Powauth Pow with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-672.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (36th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-672
- Affected product: Powauth Pow
- Published:
- Last modified:
Description
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
Frequently asked questions
- What is CVE-2023-42446?
- Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
- How severe is CVE-2023-42446?
- CVE-2023-42446 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2023-42446 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (36th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-42446?
- CVE-2023-42446 affects Powauth Pow. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-42446?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-42446 published?
- CVE-2023-42446 was published on 2023-09-18 and last updated on 2026-06-17.
References
- https://github.com/pow-auth/pow/issues/713
- https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9
Affected products (1)
- cpe:2.3:a:powauth:pow:*:*:*:*:*:*:*:*
More vulnerabilities in Powauth Pow
- CVE-2020-5205 — Medium (CVSS 6.5): In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation…
All CVEs affecting Powauth Pow →
Other CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities
- CVE-2023-41094 — Critical (CVSS 10.0): TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing…
- CVE-2020-24030 — Critical (CVSS 9.8): ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and…
- CVE-2020-12043 — Critical (CVSS 9.8): The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when configured for wireless networking the FTP…
- CVE-2019-17638 — Critical (CVSS 9.4): In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an…
- CVE-2013-10075 — Critical (CVSS 9.1): Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores…
- CVE-2022-22755 — High (CVSS 8.8): By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute…
Browse all CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities →