CVE-2020-5205

Name of the Vulnerable Software and Affected Versions Pow (Hex package) versions prior to 1.0.16

Description The use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. This issue does not affect the cookie store, which is commonly used in Phoenix apps.

Recommendations For versions prior to 1.0.16, call Plug.Conn.configure session(conn, renew: true) periodically and after privilege change to mitigate the issue. Consider writing a custom authorization plug where the create/3 method returns the conn only after Plug.Conn.configure session/2 has been called on it. Update to version 1.0.16 or later to resolve the issue.