AI description
CVE-2025-24859 is a session management vulnerability affecting Apache Roller versions up to and including 6.1.4. When a user's password is changed, either by the user or an administrator, existing active sessions are not properly invalidated. This allows an attacker who has gained access through a valid session to maintain unauthorized access even after the password has been changed. The vulnerability stems from a failure to properly manage and invalidate active sessions upon password changes or user deactivation. Apache Roller version 6.1.5 addresses this issue by implementing centralized session management, which ensures that all active sessions are terminated when a password is changed or a user is disabled.
- Description
- A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.
- Source
- security@apache.org
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 2.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:Amber
- Severity
- LOW
- security@apache.org
- CWE-613
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
Apple corregge due Zero-Day attivi. Nuove emergenze su Apache, Oracle, Fortinet e SonicWall Sicurezza Informatica, Apache Roller, backdoor, CISA KEV, CVE, CVE-2025-24859, fortinet, hijacking, iOS, MITRE, Oracle Cloud IAM, symlink, vulnerabilità, zero-day https://t.co/LJeGshpuJV h
@matricedigitale
17 Apr 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability CVE-2025-24859 found in Apache Roller allows persistent unauthorized access. Users must update to version 6.1.5 immediately. #ApacheRoller #CyberSecurity #CVE202524859 https://t.co/HtpXNjCP7I
@dailytechonx
16 Apr 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Apache Roller CVE-2025-24859 — Session management fail. 🧨 CVSS 10.0 might be a stretch IMO, but may want to wake up for it. 🛑 Password changes didn’t kill old sessions = potential backdoor access. ✅ Fixed in v6.1.5 with proper session invalidation. 💡 If you run Roller htt
@CareWeDoNot
16 Apr 2025
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🗞️ Critical Apache Roller Flaw Allows Persistent Unauthorized Access Post-Password Change Social Media Post: A critical Apache Roller vulnerability (CVE-2025-24859, CVSS 10.0) lets attackers retain access to accounts even after password changes. Fixed in version 6.1.5, this fla
@gossy_84
16 Apr 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE Alert: Critical Apache Roller Session Management Vulnerability🚨 Vulnerability Details: CVE-2025-24859 (CVSS v4 10/10) Apache Roller Session Management Vulnerability Impact: A Successful exploit may allow an attacker to retain unauthorized access even after a password h
@CyberxtronTech
16 Apr 2025
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE Alert: Critical Apache Roller Session Management Vulnerability🚨 Vulnerability Details: CVE-2025-24859 (CVSS v4 10/10) Apache Roller Session Management Vulnerability Impact: A Successful exploit may allow an attacker to retain unauthorized access even after a password h
@CyberxtronTech
16 Apr 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE Alert: Critical Apache Roller Session Management Vulnerability🚨 Vulnerability Details: CVE-2025-24859 (CVSS v3 9.3/10) Apache Roller Session Management Vulnerability Impact: A Successful exploit may allow an attacker to retain unauthorized access even after a password h
@CyberxtronTech
16 Apr 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
重大なApache Rollerの脆弱性(CVSS 10.0)が未承認のセッション持続を可能にする(CVE-2025-24859) https://t.co/OwxbLOgM9h #Security #セキュリティ #ニュース
@SecureShield_
16 Apr 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Two critical vulnerabilities (CVE-2025-24859 and CVE-2025-30065, both with a CVSS score of 10) threaten the securities of systems using Apache Roller and Apache Parquet. Apache Roller allows unauthorized access even after password changes due to a session management flaw, whil...
@CybrPulse
15 Apr 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Apache Roller Hit by 10.0 CVSS Flaw! Old sessions stay active even after a password change (CVE-2025-24859). Hackers can keep access silently. All versions ≤6.1.4 affected. 👉 Full details: https://t.co/X0EIIaTeHb 🔒 Fixed in v6.1.5. Patch now.
@TheHackersNews
15 Apr 2025
21998 Impressions
56 Retweets
72 Likes
11 Bookmarks
3 Replies
9 Quotes
Critical Apache Roller flaw (CVE-2025-24859, CVSSv4 10) exposes blogs to unauthorized access—patch immediately to prevent data breaches. Details: https://t.co/Y5053gdlGC #CyberSecurity #Vulnerability
@adriananglin
15 Apr 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical flaw found in Apache Roller (CVE-2025-24859): Sessions stay active after password changes. 🔒 Upgrade to 6.1.5 now to stay protected. Details 👉 https://t.co/NYiiwQadAE #CVE202524859 #ApacheRoller #CyberSecurity
@threatsbank
14 Apr 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-24859: CRITICAL] Apache Roller <6.1.5 has a session management flaw, leaving active sessions after password changes, risking unauthorized access, resolved in 6.1.5 with centralized session management.#cybersecurity,#vulnerability https://t.co/aJATuYhGXL https://t.co/
@CveFindCom
14 Apr 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes