CVE-2013-2249 — Session Fixation in Apache Http Server

CWE-384 — Session Fixation9 documents8 sources

Severity

7.5HIGHNVD

EPSS

43.7%

top 2.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedJul 23

Latest updateMay 13

Description

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDapache/http_server2.4.1 — 2.4.4

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-gjwh-q2rh-9mjm: mod_session_dbd↗2022-05-13

▶

OSV

CVE-2013-2249: mod_session_dbd↗2013-07-23

▶

CVEList

CVE-2013-2249: mod_session_dbd↗2013-07-23

▶

📋Vendor Advisories

Red Hat

httpd: mod_session_dbd session fixation flaw↗2013-07-22

▶

Debian

CVE-2013-2249: apache2 - mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before...↗2013

▶

Apache

Apache httpd: CVE-2013-2249↗

▶

💬Community

Bugzilla

CVE-2013-2249 httpd: mod_session_dbd session fixation flaw↗2013-07-23

▶

Bugzilla

CVE-2013-2249 httpd: session fixation flaw in Apache mod_session_dbd [fedora-all]↗2013-07-23

▶