8.8 CVE-2025-24859

Enriched by CISA

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.
https://nvd.nist.gov/vuln/detail/CVE-2025-24859

Categories

CWE-613 : Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Set sessions/credentials expiration date. JavaScript SDK does not set an expiration time for JWE tokens related to a session Web interface for a power quality analyzer uses tokens without an expiration date network traffic analyzer for PROFINET networks does not expire sessions AI/ML monitor for IT operations allows re-use of old session tokens due to insufficient session expiration

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/04/11/1 Mailing List

security@apache.org

https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f Release Notes
https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23 Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
Apache Software Foundation	Apache Roller	1.0.0 < 6.1.5 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:apache:roller::::::::	>= 1.0	< 6.1.5

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee