The open-source, Java-based blogs server software has a crucial security flaw that could keep unauthorized access from destructive actors even after a password change has been fixed.
A flaw with the CVE id has a CVSS score of 10, which indicates the flaw’s highest severity. It impacts all variations of Roller, including version 6.1.4.
Before type 6.1.5 of Apache Roller, a conference management flaw exists where active user sessions are not properly invalidated after login changes, according to the project maintainers ‘ expert.
Current sessions continue to be effective and functional when a patient’s login is changed, either by the consumer themselves or by an administrator.
An attacker could use the weakness to keep exposure to the application through old sessions yet after changing the password, if they were to successfully exploit it. Additionally, it might provide unrestricted access if qualifications were compromised.
By implementing centralized session management, the flaw was fixed in edition 6.1.5, which stipulates that all active meetings are invalidated when passwords are changed or people are impaired.
Haining Meng, a safety scholar, is credited with finding and reporting the risk.
The disclosure comes just weeks after another significant risk was discovered in Apache Parquet’s Java Library ( , CVSS score: 10.0), which, if properly exploited, could help a remote intruder to execute arbitrary code on vulnerable instances.
Shortly after the details of the bug were made public, an important ( , CVSS score: 9.8 ) that was impacting Apache Tomcat ( , CVSS score: 9.8 ) was officially exploited last month.