CVE-2023-42446

Name of the Vulnerable Software and Affected Versions Pow versions 1.0.14 through 1.0.33

Description Pow is a authentication and user management solution for Phoenix and Plug-based apps. The use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than a session's remaining TTL.

Recommendations For versions 1.0.14 through 1.0.33, update to version 1.0.34 to resolve the issue. As a temporary workaround, expired keys, including all expired sessions, can be manually invalidated by running the provided Elixir code to delete expired keys from the Pow.Store.Backend.MnesiaCache.