CVE-2013-10075 - Vulnerability Details

- Apache::Session versions through 1.94 for Perl re-creates deleted sessions

Description

Apache::Session versions through 1.94 for Perl re-creates deleted sessions.

The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

Published: 2026-05-08

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache::Session versions through 1.94 re-create sessions that have been deleted, specifically when using the File or DB_File stores. This flaw can result in sessions being revived, potentially restoring data that was intended to be permanently removed. The weakness is classified as CWE‑672, indicating a failure to enforce proper deletion limits or finalization of session state, leading to continued access to unintended data.

Affected Systems

The affected product is Apache::Session from the CHORNY vendor, any installed version up to and including 1.94. The vulnerability occurs in all environments where the File or DB_File session stores are configured, such as web applications that rely on this Perl module for session management.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in CISA KEV, suggesting limited exploitation activity. The CVSS score is 9.1, indicating a high severity vulnerability. The attack vector is likely local or through web interfaces that instantiate Apache::Session, where an attacker could trigger the recreation of a deleted session and access residual data. Because the flaw involves a reinstatement of a previously removed state, exploitation would require the attacker to target systems that rely on these deprecated session stores.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CHORNY

Apache::Session

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.94

Configuration 1 [-]

cpe:2.3:a:chorny:apache\:\:session:*:*:*:*:*:perl:*:*

No data.

Vendor Product Confidence Versions

Chorny

Apache::session

100%

Version	Status	Scheme	Platform
`[0,1.94]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Use a database store based on Apache::Session::Store::DBI.

OpenCVE Recommended Actions

Reconfigure the application to use Apache::Session::Store::DBI instead of Store::File or Store::DB_File to prevent accidental recreation of deleted sessions
Upgrade Apache::Session to a version newer than 1.94, if available, to apply vendor fixes for this issue
Implement monitoring or logging of session creation and deletion events to detect unexpected session resurrection activities

Generated by OpenCVE AI on May 8, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/08/12
https://rt.cpan.org/Public/Bug/Display.html?id=83525

History

Mon, 11 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chorny apache::session
Vendors & Products		Chorny apache::session

Fri, 08 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chorny Chorny apache\
CPEs		cpe:2.3:a:chorny:apache\:\:session::::::perl::*
Vendors & Products		Chorny Chorny apache\

Fri, 08 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/08/12

Fri, 08 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 08 May 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.
Title		Apache::Session versions through 1.94 for Perl re-creates deleted sessions
Weaknesses		CWE-672
References		https://rt.cpan.org/Public/Bug/Display.html?id=83525

Subscriptions

Chorny Apache::session Apache\

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-08T07:44:13.267Z

Updated: 2026-05-08T17:58:32.010Z

Reserved: 2026-04-20T11:38:29.675Z

Link: CVE-2013-10075

Vulnrichment

Updated: 2026-05-08T17:30:40.975Z

NVD

Status : Analyzed

Published: 2026-05-08T08:16:43.463

Modified: 2026-05-08T19:51:16.810

Link: CVE-2013-10075

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T16:11:03Z

Weaknesses

CWE-672

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object