Medium severity6.5NVD Advisory· Published Sep 18, 2023· Updated Jun 17, 2026
CVE-2023-42446
CVE-2023-42446
Description
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
powHex | >= 1.0.14, < 1.0.34 | 1.0.34 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/pow-auth/pow/issues/713nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-3cjh-p6pw-jhv9ghsaADVISORY
- github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-42446ghsaADVISORY
- github.com/pow-auth/pow/commit/15dc525be03c466daa5d2119ca7acdec7b24ed17ghsaWEB
- github.com/pow-auth/pow/pull/714ghsaWEB
News mentions
0No linked articles in our index yet.