Critical Vulnerability Found in Apache Roller Blog Server

Post Views: 26

A critical vulnerability in Apache Roller could allow attackers to abuse previous sessions to maintain persistent access even after password changes.

An open source, Java-based blog server, Roller includes a content management system, multi-user support with three permission levels, integrated search, and support for templates and themes.

Last week, Apache warned that Roller version 6.1.5 was released with patches for a critical-severity bug in the software’s session management functionality that resulted in active user sessions not being properly invalidated.

Tracked as CVE-2025-24859 (CVSS score of 10/10), the issue resulted in existing sessions remaining active even after the users changed their passwords. These sessions, Apache warned, could be used to maintain persistent access to the server.

“This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised,” Apache explains.

All Roller versions up to and including 6.1.4 are affected by the security defect. Roller version 6.1.5 comes with a centralized session management improvement to properly invalidate all active sessions upon password changes or when a user account is disabled.

According to the release notes, the latest Roller iteration implements RollerLoginSessionManager for better session tracking and improves cache handling for user sessions.

This is the second critical-severity vulnerability with a maximum severity rating that Apache has resolved over the past two weeks, after patching CVE-2025-30065 in Apache Parquet.

Advertisement. Scroll to continue reading.

Described as the deserialization of untrusted data in the parquet-avro module, the Parquet bug could be exploited remotely for arbitrary code execution, potentially leading to complete system takeover.

Related: Exploit Code for Apache Tomcat RCE Vulnerability Published on Chinese Forum

Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days

Related: Vulnerabilities Patched by Ivanti, VMware, Zoom

Related: Exploitation of Recent Critical Apache Struts 2 Flaw Begins

Source link

What's Hot

Sam Altman apparently does not respect olive oil

Equifax launches mobile app to help consumers track credit scores and improve financial health

Creditspring teams up with Doshi to boost UK borrowers’ financial literacy

Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits

437,000 Impacted by Ascension Health Data Breach

Asus DriverHub Vulnerabilities Expose Users to Remote Code Execution Attacks

US Deportation Airline GlobalX Confirms Hack

German Authorities Take Down Crypto Swapping Service eXch

US Announces Botnet Takedown, Charges Against Russian Administrators

Skechers’ Greenbergs Set To Pocket Up To $1.1 Billion From Sale To 3G

Trump Organization Admits President Still Controls His Business

Forbes Richest Person In Every State 2025

These Billionaire Signers Of The Giving Pledge Signers On Why The Philanthropy Group Still Matters

Sam Altman apparently does not respect olive oil

Equifax launches mobile app to help consumers track credit scores and improve financial health

Creditspring teams up with Doshi to boost UK borrowers’ financial literacy

Google’s Gemma AI models surpass 150M downloads

Our Picks

Sam Altman apparently does not respect olive oil

Google’s Gemma AI models surpass 150M downloads

This American VC is betting on European defense tech; that’s still very unusual

What's Hot

Critical Vulnerability Found in Apache Roller Blog Server

Related Posts

Subscribe to Updates