CVE-2013-10075: Apache::Session versions through 1.94 for Perl re-creates deleted sessions

CVE-2013-10075: Apache::Session versions through 1.94 for Perl re-creates deleted sessions Robert Rothenberg 08 May 2026 07:45 UTC

========================================================================
CVE-2013-10075                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2013-10075
   Distribution:  Apache-Session
       Versions:  through 1.94

       MetaCPAN:  https://metacpan.org/dist/Apache-Session
       VCS Repo:  http://github.com/chorny/Apache-Session

Apache::Session versions through 1.94 for Perl re-creates deleted
sessions

Description
-----------
Apache::Session versions through 1.94 for Perl re-creates deleted
sessions.

The session stores Apache::Session::Store::File and
Apache::Session::Store::DB_File will create a session that does not
exist.    This can lead to sessions being revived, potentially with data
that was to be deleted.

Problem types
-------------
- CWE-672 Operation on a Resource after Expiration or Release

Workarounds
-----------
Use a database store based on Apache::Session::Store::DBI.

References
----------
https://rt.cpan.org/Public/Bug/Display.html?id=83525

Timeline
--------
- 2013-02-21: Issue reported

Credits
-------
Thomas Sibley, finder