Description
Apache::Session versions through 1.94 for Perl re-creates deleted sessions.

The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache::Session versions through 1.94 re-create sessions that have been deleted, specifically when using the File or DB_File stores. This flaw can result in sessions being revived, potentially restoring data that was intended to be permanently removed. The weakness is classified as CWE‑672, indicating a failure to enforce proper deletion limits or finalization of session state, leading to continued access to unintended data.

Affected Systems

The affected product is Apache::Session from the CHORNY vendor, any installed version up to and including 1.94. The vulnerability occurs in all environments where the File or DB_File session stores are configured, such as web applications that rely on this Perl module for session management.

Risk and Exploitability

No EPSS score is available, and the vulnerability is not listed in CISA KEV, suggesting limited or unknown exploitation activity. The CVSS score is not provided, so the impact severity cannot be precisely quantified. The attack vector is likely local or through web interfaces that instantiate Apache::Session, where an attacker could trigger the recreation of a deleted session and access residual data. Because the flaw involves a reinstatement of a previously removed state, exploitation would require the attacker to target systems that rely on these deprecated session stores.

Generated by OpenCVE AI on May 8, 2026 at 09:20 UTC.

Remediation

Vendor Workaround

Use a database store based on Apache::Session::Store::DBI.

OpenCVE Recommended Actions

  • Reconfigure the application to use Apache::Session::Store::DBI instead of Store::File or Store::DB_File to prevent accidental recreation of deleted sessions
  • Upgrade Apache::Session to a version newer than 1.94, if available, to apply vendor fixes for this issue
  • Implement monitoring or logging of session creation and deletion events to detect unexpected session resurrection activities

Generated by OpenCVE AI on May 8, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
Title Apache::Session versions through 1.94 for Perl re-creates deleted sessions
Weaknesses CWE-672
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-08T07:44:13.267Z

Reserved: 2026-04-20T11:38:29.675Z

Link: CVE-2013-10075

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T08:16:43.463

Modified: 2026-05-08T08:16:43.463

Link: CVE-2013-10075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T09:30:05Z

Weaknesses