CVE-2021-3844: 
Rapid7 Vulnerability Management vulnerability analysis and mitigation

CVE-2021-3844 is a security vulnerability affecting Rapid7 InsightVM that involves insufficient session expiration when an administrator performs security-relevant edits on an existing, logged-on user. The vulnerability was published on March 24, 2023, and received a CVSS v3.1 score of 5.4 (Medium severity) (NVD Results).

The vulnerability stems from a session management flaw where user sessions remain valid even after security-critical changes are made to the user account. For example, if an administrator changes a user's password due to a credential leak, the user's current session remains active, potentially allowing an attacker who had compromised the original credentials to maintain access (NVD Results).

The impact of this vulnerability allows an attacker who has compromised user credentials to maintain access to the system even after the administrator changes the compromised user's password. This continued access could enable the attacker to cause further damage within the system (NVD Results).

The vulnerability can be mitigated by using the Platform Login feature. Rapid7 recommends that all eligible users enable InsightVM Platform Login to protect their environment from potential insufficient session expiration vulnerabilities (Rapid7 Docs).