Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: November 16, 2021
OverviewIn ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.
DetailsThe session management functionality of ArangoDB users works in a manner where it fails to invalidate a session (for a user) even after the password is changed by the admin. This flaw allows a user to be logged and perform functions; wherein the current user session must be invalidated immediately after the admin changes the user password.
PoC DetailsLogin with a user in a browser in Incognito Mode.
Login with an administrator in a normal window. Go to "Users" on the left tab to manage your user that you are logged in with in the incognito window. Change the user's password.
Now go back to the user's session. It is observed that the user is still able to access all pages in the current session, even after the admin has changed the password of the user. This verifies that the user session doesn’t get invalidated even after initiating “Edit user Password” by the admin.
Affected Environmentsv3.7.6 through v3.8.3
PreventionUpgrade to version v3.9.0-alpha.1 or later
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||Low|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|