Apache::Session for Perl Creates Deleted Sessions

Summary

Apache::Session for Perl versions up to 1.94 can revive deleted sessions, potentially exposing sensitive data. This is a concern if you store confidential information in user sessions. To fix this, update to a newer version of Apache::Session for Perl.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Ecosystem	Vendor	Product	Affected versions
Ubuntu:16.04:LTS	canonical	libapache-session-perl	All versions
Ubuntu:18.04:LTS	canonical	libapache-session-perl	All versions
Ubuntu:20.04:LTS	canonical	libapache-session-perl	All versions
Ubuntu:22.04:LTS	canonical	libapache-session-perl	All versions
Ubuntu:24.04:LTS	canonical	libapache-session-perl	All versions
Ubuntu:25.10	canonical	libapache-session-perl	All versions
Ubuntu:26.04	canonical	libapache-session-perl	All versions

Original title

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not e...

Original description

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

osv CVSS3.1 9.1

https://ubuntu.com/security/CVE-2013-10075 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2013-10075 Third Party Advisory
https://lists.security.metacpan.org/cve-announce/msg/39844719/ Third Party Advisory
https://rt.cpan.org/Public/Bug/Display.html?id=83525 Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/05/08/12 Third Party Advisory