ArangoDB - Insufficient Session Expiration after Password Change

Vulnerability

In ArangoDB versions v3.7.6 through v3.8.3, the session management does not invalidate existing sessions when a user's password is changed by an administrator. This is due to insufficient session expiration handling; the JWT token remains valid for a hardcoded period (30 days) even after password change [1][2]. The vulnerability affects the authentication mechanism in the RestAuthHandler class.

Exploitation

An attacker who has obtained a valid session token (e.g., through prior compromise or by being a legitimate user whose password is later changed) can continue to use that token to authenticate and perform actions. No additional authentication is required; the attacker simply reuses the existing session token. The administrator's password change does not invalidate the token, so the attacker retains access.

Impact

Successful exploitation allows an attacker to maintain authenticated access to the ArangoDB instance with the privileges of the user whose password was changed. This can lead to unauthorized data access, modification, or deletion, depending on the user's permissions. The impact is a breach of confidentiality, integrity, and availability.

Mitigation

The fix is implemented in commit e9c6ee9dcca7b9b4fbcd02a0b323d205bee838d3 [1], which removes the hardcoded 30-day JWT validity and revives the --server.session-timeout startup parameter to allow configurable session expiration. Users should upgrade to a version containing this fix (likely v3.8.4 or later). As a workaround, administrators can manually invalidate sessions by restarting the server or by other means, but the recommended mitigation is to apply the patch.