oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-24859: Apache Roller: Insufficient Session Expiration on Password Change

From: "David M. Johnson" <snoopdave () apache org>
Date: Fri, 11 Apr 2025 22:32:42 +0000
Severity: important

Affected versions:

- Apache Roller 1.0.0 before 6.1.5

Description:

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not 
properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an 
administrator, existing sessions remain active and usable. This allows continued access to the application through old 
sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.

This issue affects Apache Roller versions up to and including 6.1.4.

The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly 
invalidates all active sessions when passwords are changed or users are disabled.

Credit:

Haining Meng (finder)

References:

https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23
https://roller.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-24859
Previous By Date Next
Previous By Thread Next

Current thread: