{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T13:08:18.811","vulnerabilities":[{"cve":{"id":"CVE-2025-24859","sourceIdentifier":"security@apache.org","published":"2025-04-14T09:15:14.223","lastModified":"2025-06-03T21:32:18.940","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.\n\nThis issue affects Apache Roller versions up to and including 6.1.4.\n\nThe vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled."},{"lang":"es","value":"Existe una vulnerabilidad de gestión de sesiones en Apache Roller anterior a la versión 6.1.5, donde las sesiones de usuario activas no se invalidan correctamente tras cambiar la contraseña. Cuando se cambia la contraseña de un usuario, ya sea por el propio usuario o por un administrador, las sesiones existentes permanecen activas y utilizables. Esto permite el acceso continuo a la aplicación a través de sesiones antiguas incluso después de cambiar la contraseña, lo que podría permitir el acceso no autorizado si las credenciales se ven comprometidas. Este problema afecta a las versiones de Apache Roller hasta la 6.1.4 incluida. La vulnerabilidad se corrige en Apache Roller 6.1.5 mediante la implementación de una gestión de sesiones centralizada que invalida correctamente todas las sesiones activas al cambiar las contraseñas o deshabilitar a los usuarios."}],"metrics":{"cvssMetricV40":[{"source":"security@apache.org","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0\/AV:N\/AC:H\/AT:N\/PR:H\/UI:N\/VC:L\/VI:L\/VA:N\/SC:L\/SI:L\/SA:N\/E:X\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:N\/AU:N\/R:U\/V:X\/RE:L\/U:Amber","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NEGLIGIBLE","Automatable":"NO","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"LOW","providerUrgency":"AMBER"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-613"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0","versionEndExcluding":"6.1.5","matchCriteriaId":"42C996C5-1F15-45BD-B013-5DE883E564BB"}]}]}],"references":[{"url":"https:\/\/lists.apache.org\/thread\/4j906k16v21kdx8hk87gl7663sw7lg7f","source":"security@apache.org","tags":["Release Notes"]},{"url":"https:\/\/lists.apache.org\/thread\/vxv52vdr8nhtjlj6v02w43fdvo0cxw23","source":"security@apache.org","tags":["Vendor Advisory"]},{"url":"http:\/\/www.openwall.com\/lists\/oss-security\/2025\/04\/11\/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}