CVE-2021-25940

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-25940
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25940.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-25940
Aliases
Published
2021-11-16T10:15:06.783Z
Modified
2025-11-20T11:38:46.117895Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

References

Affected packages

Git / github.com/arangodb/arangodb

Affected ranges

Type
GIT
Repo
https://github.com/arangodb/arangodb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3

Affected versions

Other

basic
testBuildDocu
vdevel

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.6.0

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.99
v1.0.alpha1
v1.0.alpha2
v1.0.alpha3
v1.0.beta1
v1.0.beta2
v1.0.beta3
v1.0.beta4
v1.1.0
v1.1.1
v1.1.beta1
v1.1.beta2
v1.2.beta1
v1.2.beta2
v1.4.0
v1.4.0-alpha1
v1.4.0-alpha2
v1.4.0-beta1
v1.4.0-beta2
v1.4.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.10
v1.4.11
v1.4.2
v1.4.2-alpha1
v1.4.3
v1.4.3-alpha1
v1.4.4
v1.4.4-rc1
v1.4.5
v1.4.5-rc1
v1.4.5-rc2
v1.4.6
v1.4.7
v1.4.8
v1.4.9

v2.*

v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-beta1
v2.0.0-beta2
v2.3.0
v2.3.0-alpha1
v2.3.0-alpha2
v2.3.0-alpha3
v2.3.0-alpha4
v2.3.0-alpha5
v2.3.0-alpha6
v2.3.0-alpha7
v2.3.0-beta1
v2.3.0-beta2
v2.3.1
v2.5.0-alpha1
v2.5.0-alpha2
v2.5.0-alpha3
v2.5.0-alpha4
v2.5.0-alpha5
v2.5.0-alpha6
v2.5.0-alpha7
v2.5.0-alpha8
v2.5.0-beta1

v3.*

v3.2.alpha777
v3.3.alpha1

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1098.0,
            "function_hash": "304800437640291846173093504186472095577"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/GeneralServer/AuthenticationFeature.cpp",
            "function": "AuthenticationFeature::validateOptions"
        },
        "id": "CVE-2021-25940-0a984027"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 485.0,
            "function_hash": "115735212466459881212953764144459330578"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/GeneralServer/AuthenticationFeature.cpp",
            "function": "AuthenticationFeature::AuthenticationFeature"
        },
        "id": "CVE-2021-25940-10908c80"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1341.0,
            "function_hash": "273544426006471626020236115299434825323"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestHandler/RestAuthHandler.cpp",
            "function": "RestAuthHandler::execute"
        },
        "id": "CVE-2021-25940-1af10564"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 260.0,
            "function_hash": "229188304507844909734213675151876473963"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestHandler/RestAuthHandler.cpp",
            "function": "RestAuthHandler::generateJwt"
        },
        "id": "CVE-2021-25940-3344dfc9"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "328553511293069189768722403529806082329",
                "225529178908766150895038135837370517111",
                "236155253539082183724193596441387013242",
                "43142061527095832807866863797149231898",
                "288138357586781847598790344784782817071",
                "103070741936585817423478001244098433458"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestServer/ServerFeature.cpp"
        },
        "id": "CVE-2021-25940-4210db08"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "143853262848751300930142644553398690134",
                "13035545588251594659876395381765867164",
                "97637096598696511979806924630437293674",
                "82394036246963043946152460695910161802",
                "216958682832948010005855965122418211273",
                "264045976651746836786442095450694448537",
                "185103051763343416843302227542526670281",
                "159623293290879430750406638239461622664"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/GeneralServer/AuthenticationFeature.h"
        },
        "id": "CVE-2021-25940-4dd70dc0"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 173.0,
            "function_hash": "99090291792254957906027673325043506677"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestHandler/RestAuthHandler.cpp",
            "function": "RestAuthHandler::RestAuthHandler"
        },
        "id": "CVE-2021-25940-4f2dfefa"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 2416.0,
            "function_hash": "192459769600878105954316520604499287850"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/GeneralServer/AuthenticationFeature.cpp",
            "function": "AuthenticationFeature::collectOptions"
        },
        "id": "CVE-2021-25940-8076747c"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "287297942701168654610215303181176069198",
                "306494882007545031490796006946966498945",
                "129704257855367874537474155697429936856",
                "228956524541850776954690409025204929442",
                "294382858837526290125265233430065342220",
                "139373389276337751674714888882099117317",
                "11889462672212475404069884648390319747",
                "173865336129245312378389982221131363407",
                "295693872904889735790517770190232748359",
                "266199106604296587712362992592806594081",
                "308513015529135791975569327523887330345",
                "82849190108251473942239984166533417409",
                "172374198763802874918504974053682900815",
                "331945458815691371884589939600520680759"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestHandler/RestAuthHandler.h"
        },
        "id": "CVE-2021-25940-9a3afa26"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "79328136048882573227252672617144648352",
                "244134932945733128016667887026204142884",
                "321799975332290222917454827276947056898",
                "265689975584019371037076287186544599885",
                "51333797349810219641389700653240188124",
                "174437070251538467239003476613906274420",
                "181522884266420468766876519630255532371",
                "84958180090828878451776314782394968931",
                "266853716709107843097966241186106361335",
                "103029892223586412750669333114348145801",
                "148843508972248920915724874454737136625",
                "252337413757552132367934006693423096787",
                "207619578819084224346085055597739353582",
                "180015120083593638867027385392093988655",
                "235558977946020490837875220908457684566",
                "51642613513204236067133277526291224992",
                "45574367845575127784621387587265431459",
                "208310287664802018930757557443255697501",
                "299365956591001078664669089510006665634",
                "312391991642040251740395633812407416760"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/GeneralServer/AuthenticationFeature.cpp"
        },
        "id": "CVE-2021-25940-aa85805e"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3193.0,
            "function_hash": "83995709477569495558343989341557358107"
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestServer/ServerFeature.cpp",
            "function": "ServerFeature::collectOptions"
        },
        "id": "CVE-2021-25940-dcfc7dd1"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "72143599975647758205041190846203830817",
                "268878553174630995726422467510481811722",
                "15327311104489165736435584654807599156",
                "297526232182721196080019898624338900412",
                "44562774631215512704796596841857246752",
                "96124678772701660438100705325154857956",
                "49640005359816997140898376763235261025",
                "329549829609198953195887259744650941690",
                "54858387964015271339351867816990174233",
                "265180257754725505186843532237069177484",
                "124185374382997601268039581383331045242",
                "4969162760864723626249771314500130813",
                "282073209321194583392320660286883581081",
                "316274092295021211429334185504900006331",
                "233084969207673586395738717246206033682",
                "131057628350367031785458574620290482766",
                "271061772793429856086625455715755282388",
                "228590353621593390184064457588483185765",
                "307011325034686762590672458877722987652",
                "127296718383405503661605210042026102972",
                "326986114122549879195839513264475364325",
                "80810441527854772686314301540177322784",
                "285492120017334426823018014249174322781",
                "39255561044666126401026899809305440132",
                "335472220061306775713610076072502911385",
                "125302074033288131580235047764304492336",
                "262526177474797784273613212940907712635",
                "237299637982840625712529859820513910898",
                "84256029836598607573782140633818946566",
                "321907700127820617728331162860613103063",
                "141323342926187059829561541388171183906",
                "51186309606698884078211981034910942797",
                "51328903576828150518681674779509539141",
                "248766599689987862617085558503533771862",
                "208410085272193673156392765311956081633",
                "313794831755240059960975584960776566837",
                "323259054468361846776244656380824747217",
                "109129302156811383701503410979288528033",
                "37424328475260355057426627749075538702",
                "90086131444520089939092105753790058940",
                "155804269568443524508603418087292422876",
                "173432867680748241170863453000868297822",
                "244424452309230988325213522449821953237",
                "300126745303181467991767553168180393480",
                "321592974795382592206626033427636510459",
                "89373241001486597927023045376681600090",
                "296641698798571184815692779047673078445",
                "146462311646668389936897787117451502200",
                "305992666220972118922637306896260609550",
                "91423013395630638555707541529252860789",
                "306859510452713931862509122242191725898",
                "126723750210171113776506641609462852832",
                "265831143253960609744514335942360987380",
                "240261187519911961558381529659906322748"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/arangodb/arangodb/commit/e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3",
        "target": {
            "file": "arangod/RestHandler/RestAuthHandler.cpp"
        },
        "id": "CVE-2021-25940-e4861223"
    }
]