Apache::Session versions through 1.94 for Perl re-creates deleted sessions
Summary
| CVE | CVE-2013-10075 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-08 08:16:43 UTC |
| Updated | 2026-05-08 08:16:43 UTC |
| Description | Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted. |
Risk And Classification
Problem Types: CWE-672 | CWE-672 CWE-672 Operation on a Resource after Expiration or Release
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | CHORNY | ApacheSession | affected 1.94 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| rt.cpan.org/Public/Bug/Display.html | 9b29abf9-4ab0-4765-b253-1875cd9b441e | rt.cpan.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Thomas Sibley (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2013-02-21T00:00:00.000Z | Issue reported |
Workarounds
CNA: Use a database store based on Apache::Session::Store::DBI.
There are currently no legacy QID mappings associated with this CVE.