CVE-2020-5205: Session fixation attack in Pow (Hex package)

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-5205

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Session fixation attack in Pow (Hex package)

Source: NVD (National Vulnerability Database)

Vulnerability Description

In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

会话固定

Source: NVD (National Vulnerability Database)

Vulnerability Title

Pow 授权问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Pow是开源的一个完整的身份验证和用户管理库，内置于 Elixir 中，可在完全可定制的同时为基于 Phoenix 和 Plug 的应用程序开箱即用。 Pow 1.0.16之前版本中存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
danschultzer	Pow	< 1.0.16	-

II. Public POCs for CVE-2020-5205

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2020-5205

Please Login to view more intelligence information

https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07x_refsource_MISC
https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvwx_refsource_CONFIRM
https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474fx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2020-5205

IV. Related Vulnerabilities

Same product: Pow

CVE-2023-42446
Pow Mnesia cache doesn't invalidate all expired keys on star

Same weakness: CWE-384

V. Comments for CVE-2020-5205

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2020-5205

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2020-5205

III. Intelligence Information for CVE-2020-5205

IV. Related Vulnerabilities

V. Comments for CVE-2020-5205

Leave a comment