CVE-2020-5205

Session fixation attack in Pow (Hex package)

Description

In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability.

Remediation

Workaround:

  • Call Plug.Conn.configure_session(conn, renew: true) periodically and after privilege change. A custom authorization plug can be written where the create/3 method should return the conn only after Plug.Conn.configure_session/2 have been called on it.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.30%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: danschultzer Pow
Published at:
Updated at:

References

Link Tags
https://github.com/danschultzer/pow/security/advisories/GHSA-v2wf-c3j6-wpvw third party advisory
https://github.com/danschultzer/pow/commit/578ffd3d8bb8e8a26077b644222186b108da474f third party advisory patch
https://github.com/danschultzer/pow/blob/master/CHANGELOG.md#v1016-2020-01-07 third party advisory

Frequently Asked Questions

What is the severity of CVE-2020-5205?
CVE-2020-5205 has been scored as a medium severity vulnerability.
How to fix CVE-2020-5205?
As a workaround for remediating CVE-2020-5205: Call Plug.Conn.configure_session(conn, renew: true) periodically and after privilege change. A custom authorization plug can be written where the create/3 method should return the conn only after Plug.Conn.configure_session/2 have been called on it.
Is CVE-2020-5205 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-5205 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-5205?
CVE-2020-5205 affects danschultzer Pow.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.