Vulnerability Details CVE-2021-25940
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.5%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.0
References
- https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940
- https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25940
Products affected by CVE-2021-25940
-
cpe:2.3:a:arangodb:arangodb:3.7.10
-
cpe:2.3:a:arangodb:arangodb:3.7.11
-
cpe:2.3:a:arangodb:arangodb:3.7.12
-
cpe:2.3:a:arangodb:arangodb:3.7.13
-
cpe:2.3:a:arangodb:arangodb:3.7.13.1
-
cpe:2.3:a:arangodb:arangodb:3.7.14
-
cpe:2.3:a:arangodb:arangodb:3.7.15
-
cpe:2.3:a:arangodb:arangodb:3.7.6
-
cpe:2.3:a:arangodb:arangodb:3.7.6.1
-
cpe:2.3:a:arangodb:arangodb:3.7.7
-
cpe:2.3:a:arangodb:arangodb:3.7.8
-
cpe:2.3:a:arangodb:arangodb:3.7.9
-
cpe:2.3:a:arangodb:arangodb:3.8.0
-
cpe:2.3:a:arangodb:arangodb:3.8.1
-
cpe:2.3:a:arangodb:arangodb:3.8.2
-
cpe:2.3:a:arangodb:arangodb:3.8.3