142/68 Thursday, April 17, 2025
A critical security vulnerability, CVE-2025-24859, has been disclosed in Apache Roller, a popular Java-based open-source blogging server. The flaw, which affects versions ≤6.1.4, has been assigned the maximum CVSS score of 10.0, indicating its severity. The vulnerability stems from unsafe session management, allowing authenticated sessions to remain active even after a password reset, leaving systems vulnerable to continued unauthorized access.
According to the Apache Roller development team, if an attacker had previously obtained a user’s credentials, this vulnerability could allow them to maintain access via an existing session, despite any password changes made by the user or administrator. The issue has been resolved in version 6.1.5, which introduces improved centralized session management. This fix ensures that all active sessions are automatically invalidated when a password is changed or a user account is disabled.
The flaw was responsibly disclosed by security researcher Haining Meng, and its revelation coincides with other recent critical Apache vulnerabilities, such as CVE-2025-30065 (RCE vulnerability in Apache Parquet, CVSS 10.0) and CVE-2025-24813 (Apache Tomcat, CVSS 9.8), which has already been exploited in the wild. These incidents highlight the growing urgency for organizations to promptly update and secure open-source software stacks to mitigate exposure to high-impact threats.
Source https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html
