CVE-2025-24859

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f	Release Notes
https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/11/1	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*

History

03 Jun 2025, 21:32

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:roller::::::::
References	~~() https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f -~~	() https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f - Release Notes
References	~~() https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23 -~~	() https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23 - Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2025/04/11/1 -~~	() http://www.openwall.com/lists/oss-security/2025/04/11/1 - Mailing List
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Apache Apache roller

15 Apr 2025, 18:39

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de gestión de sesiones en Apache Roller anterior a la versión 6.1.5, donde las sesiones de usuario activas no se invalidan correctamente tras cambiar la contraseña. Cuando se cambia la contraseña de un usuario, ya sea por el propio usuario o por un administrador, las sesiones existentes permanecen activas y utilizables. Esto permite el acceso continuo a la aplicación a través de sesiones antiguas incluso después de cambiar la contraseña, lo que podría permitir el acceso no autorizado si las credenciales se ven comprometidas. Este problema afecta a las versiones de Apache Roller hasta la 6.1.4 incluida. La vulnerabilidad se corrige en Apache Roller 6.1.5 mediante la implementación de una gestión de sesiones centralizada que invalida correctamente todas las sesiones activas al cambiar las contraseñas o deshabilitar a los usuarios.

14 Apr 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-14 09:15

Updated : 2025-06-03 21:32

NVD link : CVE-2025-24859

Mitre link : CVE-2025-24859

CVE.ORG link : CVE-2025-24859

JSON object : View

Products Affected

apache

roller

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-24859", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 2.1, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-14T09:15:14.223", "references": [{"url": "https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f", "tags": ["Release Notes"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/04/11/1", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.\n\nThis issue affects Apache Roller versions up to and including 6.1.4.\n\nThe vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled."}, {"lang": "es", "value": "Existe una vulnerabilidad de gesti\u00f3n de sesiones en Apache Roller anterior a la versi\u00f3n 6.1.5, donde las sesiones de usuario activas no se invalidan correctamente tras cambiar la contrase\u00f1a. Cuando se cambia la contrase\u00f1a de un usuario, ya sea por el propio usuario o por un administrador, las sesiones existentes permanecen activas y utilizables. Esto permite el acceso continuo a la aplicaci\u00f3n a trav\u00e9s de sesiones antiguas incluso despu\u00e9s de cambiar la contrase\u00f1a, lo que podr\u00eda permitir el acceso no autorizado si las credenciales se ven comprometidas. Este problema afecta a las versiones de Apache Roller hasta la 6.1.4 incluida. La vulnerabilidad se corrige en Apache Roller 6.1.5 mediante la implementaci\u00f3n de una gesti\u00f3n de sesiones centralizada que invalida correctamente todas las sesiones activas al cambiar las contrase\u00f1as o deshabilitar a los usuarios."}], "lastModified": "2025-06-03T21:32:18.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42C996C5-1F15-45BD-B013-5DE883E564BB", "versionEndExcluding": "6.1.5", "versionStartIncluding": "1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

8.8 /10