CVE-2020-5205 - OpenCVE

In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Powauth	Pow

Configuration 1 [-]

cpe:2.3:a:powauth:pow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07
https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f
https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-09T02:05:14

Updated: 2024-08-04T08:22:08.880Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5205

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-09T02:15:13.340

Modified: 2020-01-17T14:45:00.757

Link: CVE-2020-5205

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Pow", "vendor": "danschultzer", "versions": [{"status": "affected", "version": "< 1.0.16"}]}], "descriptions": [{"lang": "en", "value": "In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-09T02:05:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07"}], "source": {"advisory": "GHSA-v2wf-c3j6-wpvw", "discovery": "UNKNOWN"}, "title": "Session fixation attack in Pow (Hex package)", "workarounds": [{"lang": "en", "value": "Call Plug.Conn.configure_session(conn, renew: true) periodically and after privilege change. A custom authorization plug can be written where the create/3 method should return the conn only after Plug.Conn.configure_session/2 have been called on it."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5205", "STATE": "PUBLIC", "TITLE": "Session fixation attack in Pow (Hex package)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pow", "version": {"version_data": [{"version_value": "< 1.0.16"}]}}]}, "vendor_name": "danschultzer"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-384 Session Fixation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw", "refsource": "CONFIRM", "url": "https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw"}, {"name": "https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f", "refsource": "MISC", "url": "https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f"}, {"name": "https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07", "refsource": "MISC", "url": "https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07"}]}, "source": {"advisory": "GHSA-v2wf-c3j6-wpvw", "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Call Plug.Conn.configure_session(conn, renew: true) periodically and after privilege change. A custom authorization plug can be written where the create/3 method should return the conn only after Plug.Conn.configure_session/2 have been called on it."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:08.880Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5205", "datePublished": "2020-01-09T02:05:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:08.880Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powauth:pow:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CF220C0-67AC-42E8-AF68-58AD6E44BD2B", "versionEndExcluding": "1.0.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability."}, {"lang": "es", "value": "En Pow (paquete Hex) versiones anteriores a 1.0.16, el uso de Plug.Session en Pow.Plug.Session es susceptible a ataques de fijaci\u00f3n de sesi\u00f3n si un almac\u00e9n de sesi\u00f3n persistente es utilizado para Plug.Session, tal y como Redis o una base de datos. La tienda de cookies, que es usada en la mayor\u00eda de las aplicaciones de Phoenix, no posee esta vulnerabilidad."}], "id": "CVE-2020-5205", "lastModified": "2020-01-17T14:45:00.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-09T02:15:13.340", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Secondary"}]}