← Back

CVE-2021-3844

nvd nist
Published: Mar 24, 2023Modified: Nov 21, 2024

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.5
Source: NVD

Description

Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638.

Affected (1)

Products: Rapid7: Insightvm
Rapid7
1 product
Insightvm
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Insightvm
Before 6.5.50

Related CWEs

CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (4)

Source: cve@rapid7.com
Product
Source: cve@rapid7.com
VDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Product
Source: af854a3a-2127-422b-91ae-364da2661108
VDB Entry

Timeline

No history available yet.