CVE-2020-5205 : What You Need to Know
Learn about CVE-2020-5205, a vulnerability in Pow (Hex package) allowing session fixation attacks. Find out the impact, affected systems, exploitation mechanism, and mitigation steps.
In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. This vulnerability does not affect the Cookie store commonly used in most Phoenix apps.
Understanding CVE-2020-5205
What is CVE-2020-5205?
CVE-2020-5205 is a vulnerability in Pow (Hex package) that allows for session fixation attacks when a persistent session store like Redis or a database is used.
The Impact of CVE-2020-5205
The vulnerability has a CVSS base score of 6.5, indicating a medium severity issue. It can lead to high confidentiality impact and low integrity impact.
Technical Details of CVE-2020-5205
Vulnerability Description
The vulnerability arises from the use of Plug.Session in Pow.Plug.Session in versions prior to 1.0.16, making it susceptible to session fixation attacks with certain session stores.
Affected Systems and Versions
- Product: Pow
- Vendor: danschultzer
- Versions Affected: < 1.0.16
Exploitation Mechanism
- Attack Complexity: High
- Attack Vector: Network
- Privileges Required: Low
- User Interaction: Required
Mitigation and Prevention
Immediate Steps to Take
- Periodically call Plug.Conn.configure_session(conn, renew: true)
- After privilege changes, ensure to call Plug.Conn.configure_session/2
Long-Term Security Practices
- Implement a custom authorization plug to manage session renewals
Patching and Updates
- Update Pow to version 1.0.16 or newer to mitigate the vulnerability.