CVE-2025-24859

LOW EPSS 60.3%
Published Apr 14, 20251y ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Apr 14, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:Amber
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope N

Threat Intelligence

EPSS Exploit Probability
60.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-613

Affected Products 1

VendorProductVersionRange
apacheroller*≥1.0  –  <6.1.5

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2025/04/11/1
    Mailing List
  • lists.apache.org https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
    Release Notes
  • lists.apache.org https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.