A session management flaw in Apache::Session enables the revival of supposedly deleted sessions, risking unauthorized access to sensitive user data.

The session storage mechanisms Apache::Session::Store::File and Apache::Session::Store::DB_File do not correctly enforce deletion, allowing sessions to be recreated.

This flaw undermines the fundamental security of session management, potentially allowing attackers to hijack or access data from sessions that were intended to be terminated. The CVSS score of 9.1 reflects the high risk of unauthorized access and data exposure.

Immediate Action: Update to the latest available version of Apache::Session and audit session handling logic in applications.

Proactive Monitoring: Check application logs for anomalous session reactivation patterns or unexplained persistence of user data.

Compensating Controls: Implement secondary authentication or session validation checks within the application layer to supplement the library's functionality.

Public Exploit Available: No

Despite being a legacy component, this vulnerability remains critical for any system using the affected Perl modules. Immediate patching and a review of session management practices are required to protect user privacy.