Primary

Context

Apache Roller Session Management Vulnerability Allowing Unauthorized Access After Password Change

Vulnerability

Patched

A session management vulnerability exists in Apache Roller versions prior to 6.1.5. The issue arises because active user sessions are not properly invalidated after a password change. This means that when a password is changed, either by the user or an administrator, existing sessions remain active. As a result, access to the application can continue through these old sessions, potentially leading to unauthorized access if the previous credentials were compromised.

Impact

Exploitation of this vulnerability could result in unauthorized access to the application through active sessions, even after a password change.

Remediation

Users can upgrade to Apache Roller version 6.1.5, which includes a new session management implementation that properly invalidates all active sessions when passwords are changed or users are disabled. This version is available for download from the Apache Roller website.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

5.7

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

5.7

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Roller Session Management Vulnerability Allowing Unauthorized Access After Password Change

Vulnerability

Impact

Remediation

Affected Products

Apache Roller

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating