Vulnerability Description
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arangodb | Arangodb | >= 3.7.6, <= 3.8.3 |
Related Weaknesses (CWE)
References
- https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee8PatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940Third Party Advisory
- https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee8PatchThird Party Advisory
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940Third Party Advisory
FAQ
What is CVE-2021-25940?
CVE-2021-25940 is a vulnerability with a CVSS score of 8.8 (HIGH). In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicio...
How severe is CVE-2021-25940?
CVE-2021-25940 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25940?
Check the references section above for vendor advisories and patch information. Affected products include: Arangodb Arangodb.