Apache

Security Advisory

Critical Session Management Vulnerability in Apache Roller 

Summary Security Advisory

Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.

OEM Apache 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-24859 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue. 

Vulnerability Name CVE ID Product Affected Severity 
Insufficient Session Expiration on Password Change CVE-2025-24859 Apache Roller Critical 

Technical Summary 

The vulnerability centers on insufficient session expiration.

When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.

As a result, any session tokens  before the password change remain valid.

This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.

This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24859  Apache Roller 1.0.0 – 6.1.4 Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised.  Unauthorized Access /  Session Hijacking 

Remediation

  • Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation. 

Conclusion: 

CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.

Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem. 

This is a critical step in maintaining the security of blog sites and protecting user data.

CVE-2025-24859 highlights the importance of robust session management in web applications.

References

Security Advisory

Apache NiFi Security Flaw Exposes MongoDB Credentials 

Security Advisory

A security vulnerability, CVE-2025-27017, has been identified in Apache NiFi.

These events retain usernames/passwords used for MongoDB authentication, violating credential isolation principles.

OEM Apache 
Severity Medium 
CVSS 6.9 
CVEs CVE-2025-27017 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A widely used data flow automation tool which allows unauthorized access to MongoDB credentials stored in provenance events. The Versions are affected from v1.13.0 to v2.2.0. In v2.3.0 the issue has been addressed. 

Vulnerability Name CVE ID Product Affected Severity 
 Apache NiFi Credential Exposure  CVE-2025-27017  Apache NiFi  Medium 

Technical Summary 

The vulnerability stems from Apache NiFi’s inclusion of MongoDB usernames and passwords in provenance event records.

Any authorized user with read access to these records can extract credentials information, leading to potential unauthorized access to MongoDB databases.  

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-27017   Apache NiFi 1.13.0 – 2.2.0   MongoDB credentials are stored in provenance events, allowing unauthorized extraction by users with read access.  Unauthorized access to MongoDB databases, potential data breaches.  

Remediation

  • Upgrade to Apache NiFi 2.3.0: The latest version removes credentials from provenance events, mitigating the vulnerability. 

General Recommendations: 

  • Restrict access to provenance data: Ensure only authorized personnel can view provenance records. 
  • Rotate MongoDB credentials: If affected versions were in use, change database credentials to prevent unauthorized access. 
  • Conduct security audits: Regularly review system logs and access controls to identify any unauthorized access attempts. 

Conclusion: 

This vulnerability poses a risk to organizations using Apache NiFi for data processing workflows involving MongoDB. Immediate action is recommended to upgrade to version 2.3.0 or later, restrict access to provenance data, and rotate credentials to mitigate any potential exposure. Organizations should implement stringent security measures to protect against similar vulnerabilities in the future.

This security flaw is particularly concerning because provenance events play a crucial role in auditing and monitoring data flows within NiFi. If left unpatched, this vulnerability could result in data breaches, unauthorized modifications, or even complete database compromise.

References: 

Security Advisory

Critical Apache Tomcat Vulnerabilities Allow RCE & DoS

Summary

OEMApache
SeverityCritical
CVSS9.8
CVEsCVE-2024-50379, CVE-2024-54677
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.

Vulnerability NameCVE IDProduct AffectedSeverityAffected Version
Race Condition Vulnerability CVE-2024-50379ApacheCriticalApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97
Uncontrolled Resource Consumption Vulnerability CVE-2024-54677ApacheMediumApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97

Technical Summary

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-50379Apache TomcatA race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system.    Remote Code Execution
CVE-2024-54677Apache TomcatThe examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service.    Denial of Service

Remediation:

  • Upgrade Apache Tomcat to the latest fixed versions:
    • Apache Tomcat 11.0.2 or latest
    • Apache Tomcat 10.1.34 or latest
    • Apache Tomcat 9.0.98 or latest

Recommendations:

  • Configuration Hardening:
    • Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
    • Remove or disable example applications to reduce exposure to potential attacks.
  • Monitor and Audit:
    • Regularly review server logs for signs of exploitation attempts.
    • Apply a robust file upload policy to limit sizes and validate content.
  • Regularly update all your software’s to address security vulnerabilities 

References:

Scroll to top