We found results for “”
CVE-2021-25940
Date: November 16, 2021
Overview
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.Details
The session management functionality of ArangoDB users works in a manner where it fails to invalidate a session (for a user) even after the password is changed by the admin. This flaw allows a user to be logged and perform functions; wherein the current user session must be invalidated immediately after the admin changes the user password.PoC Details
Login with a user in a browser in Incognito Mode.Login with an administrator in a normal window. Go to "Users" on the left tab to manage your user that you are logged in with in the incognito window. Change the user's password.
Now go back to the user's session. It is observed that the user is still able to access all pages in the current session, even after the admin has changed the password of the user. This verifies that the user session doesn’t get invalidated even after initiating “Edit user Password” by the admin.
Affected Environments
v3.7.6 through v3.8.3Prevention
Upgrade to version v3.9.0-alpha.1 or laterLanguage: C++
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | Required |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | Single |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |