CVE-2021-25940

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a users password is changed by the administrator, the session isnt invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MendCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
arangodbarangodb
3.7.6 ≤
𝑥
≤ 3.8.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940
https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940