CVE-2021-25940

Published: Nov 16, 2021Modified: Nov 21, 2024

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

Affected (1)

Products: Arangodb: Arangodb

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Arangodb Arangodb	From 3.7.6 to 3.8.3

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (4)

https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940

Source: vulnerabilitylab@mend.io

Third Party Advisory

https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.