Vulnerabilities > CVE-2021-25940 - Insufficient Session Expiration vulnerability in Arangodb
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3
- https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940