GHSA-3cjh-p6pw-jhv9: Pow Mnesia cache doesn't invalidate all expired keys on startup

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-42446

Pow Mnesia cache doesn’t invalidate all expired keys on startup

Moderate severity GitHub Reviewed Published Sep 18, 2023 in pow-auth/pow • Updated Sep 19, 2023

Package

Affected versions

>= 1.0.14, < 1.0.34

Description

Use of Pow.Store.Backend.MnesiaCache is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A cache key may become expired when all Pow.Store.Backend.MnesiaCache instances have been shut down for a period that is longer than the keys’ remaining TTL and the expired key won’t be invalidated on startups.

Workarounds

The expired keys, including all expired sessions, can be manually invalidated by running:

:mnesia.sync_transaction(fn -> Enum.each(:mnesia.dirty_select(Pow.Store.Backend.MnesiaCache, [{{Pow.Store.Backend.MnesiaCache, :_, :_}, [], [:"$_"]}]), fn {_, key, {_value, expire}} -> ttl = expire - :os.system_time(:millisecond) if ttl < 0, do: :mnesia.delete({Pow.Store.Backend.MnesiaCache, key}) end) end)

References

pow-auth/pow@15dc525
pow-auth/pow#713
pow-auth/pow#714

References

• GHSA-3cjh-p6pw-jhv9
• https://nvd.nist.gov/vuln/detail/CVE-2023-42446
• pow-auth/pow#713
• pow-auth/pow#714
• pow-auth/pow@15dc525

Published to the GitHub Advisory Database

Sep 19, 2023

Last updated

Sep 19, 2023