Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pow Mnesia cache doesn't invalidate all expired keys on startup
Vulnerability Description
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
证书过期验证不恰当
Vulnerability Title
Pow 安全漏洞
Vulnerability Description
Pow是开源的一个完整的身份验证和用户管理库,内置于 Elixir 中,可在完全可定制的同时为基于 Phoenix 和 Plug 的应用程序开箱即用。 Pow 1.0.14 到 1.0.34版本存在安全漏洞,该漏洞源于使用Pow.Store.Backend.MnesiaCache时容易受到会话劫持,因为过期密钥在启动时未正确失效。
CVSS Information
N/A
Vulnerability Type
N/A