CVE-2021-3844 MEDIUM

CVE-2021-3844: Rapid7 InsightVM Insufficient Session Expiration

Vendor Rapid7
Product InsightVM
Weakness CWE-613 · Insufficient session expiration
Published March 24, 2023
Last update February 19, 2025

CVSS base score

5.7/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638.

Key dates

02Disclosure timeline

March 24, 2023 CVE published
February 19, 2025 Record updated