Description
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Remediation
References
Related Vulnerabilities
GeoServer CVE-2024-34696 Vulnerability (CVE-2024-34696)
Atlassian Jira Other Vulnerability (CVE-2006-3339)
Craft CMS Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-3814)
MySQL CVE-2019-2636 Vulnerability (CVE-2019-2636)
Oracle Database Server CVE-2015-4900 Vulnerability (CVE-2015-4900)