Lucene search

MendCVELIST:CVE-2021-25940

HistoryNov 16, 2021 - 9:25 a.m.

CVE-2021-25940 ArangoDB - Insufficient Session Expiration after Password Change

2021-11-1609:25:09

CWE-613

Mend

www.cve.org

arangodb

vulnerability

insufficient session expiration

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

CNA Affected

[
  {
    "product": "arangodb",
    "vendor": "arangodb",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "v3.7.6",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v3.8.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVELIST:CVE-2021-25940