CVE-2025-24859

Severity CVSS v4.0:

LOW

Type:

Unavailable / Other

Publication date:

14/04/2025

Last modified:

03/06/2025

Description

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user&#39;s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.<br /> <br /> This issue affects Apache Roller versions up to and including 6.1.4.<br /> <br /> The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:N/AU:N/R:U/RE:L/U:Amber CVSS v4.0 Severity and Metrics:

Base Score: 2.10 LOW
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:N/AU:N/R:U/RE:L/U:Amber

Attack Vector (AV): Network
Attack Complexity (AC): High
Attack Requirements (AT): None
Privileges Required (PR): High
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): Low
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): None
Safety (S): Negligible
Automatable (AU): No
Recovery (R): User
Vulnerability Response Effort (RE): Low
Provider Urgency (U): Amber

Base Score 4.0

2.10

Severity 4.0

LOW

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.80 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High