CVE-2013-10075
Analyzed Analyzed - Analysis Complete

Session Revival Vulnerability in Apache::Session for Perl

Vulnerability report for CVE-2013-10075, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: CPANSec

Description

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-07-09
AI Q&A
2026-05-08
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
chorny apache to 1.94 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, it is recommended to avoid using the vulnerable session stores Apache::Session::Store::File and Apache::Session::Store::DB_File, which can recreate deleted sessions.

A suggested workaround is to switch to using a database store based on Apache::Session::Store::DBI, which does not exhibit this issue.

Executive Summary

This vulnerability affects Apache::Session versions through 1.94 for Perl, where deleted sessions can be re-created. Specifically, the session stores Apache::Session::Store::File and Apache::Session::Store::DB_File may create sessions that were previously deleted, effectively reviving sessions that should no longer exist.

As a result, data that was intended to be deleted from these sessions might still be accessible or restored unintentionally.

Impact Analysis

The impact of this vulnerability is that sessions which were deleted can be revived, potentially exposing sensitive or outdated session data that should have been removed.

This can lead to unauthorized access to session information, confusion in session management, and possible security risks if sensitive data is restored unintentionally.

Compliance Impact

This vulnerability allows deleted sessions to be re-created, potentially reviving session data that was intended to be deleted.

Such behavior can lead to retention of personal or sensitive data beyond its intended lifecycle, which may conflict with data protection requirements in regulations like GDPR and HIPAA that mandate proper deletion and protection of user data.

Therefore, the vulnerability could negatively impact compliance by undermining data deletion policies and increasing the risk of unauthorized access to supposedly deleted session information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2013-10075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart