Bug 2467984 (CVE-2013-10075)

Summary: CVE-2013-10075 Apache::Session: Perl: Apache::Session::Store::File: Apache::Session::Store::DB_File: Apache::Session: Information disclosure due to re-creation of deleted sessions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Apache::Session, a Perl module for managing user sessions. This vulnerability allows the session stores, specifically Apache::Session::Store::File and Apache::Session::Store::DB_File, to recreate sessions that were previously deleted. This can lead to the revival of old sessions, potentially with data that was intended to be removed, primarily impacting data integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-08 09:01:15 UTC
Apache::Session versions through 1.94 for Perl re-creates deleted sessions.

The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist.  This can lead to sessions being revived, potentially with data that was to be deleted.