Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03OGY5LTc0NWYtMjc4cM4AAt9m
Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
Impact
A partial Directory Traversal Vulnerability found in apoc.log.stream
function of apoc plugins in Neo4j Graph database.
This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out")
will allow an attacker to access a directory with a name like /usr/outnot
.
Patches
The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7
Workarounds
If you cannot upgrade the library, you can control the allowlist of the functions that can be used in your system
For more information
If you have any questions or comments about this advisory:
- Open an issue in neo4j-apoc-procedures
- Email us at [email protected]
Credits
We want to publicly recognise the contribution of Jonathan Leitschuh for reporting this issue.
Permalink: https://github.com/advisories/GHSA-78f9-745f-278pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OGY5LTc0NWYtMjc4cM4AAt9m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-78f9-745f-278p, CVE-2022-37423
References:
- https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-78f9-745f-278p
- https://github.com/neo4j-contrib/neo4j-apoc-procedures/pull/3080
- https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/d2f415c6f703bbc2cda4a753928821ff15d5c620
- https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/fe9f8c77269f5a742585c1d62324eb70755de510
- https://nvd.nist.gov/vuln/detail/CVE-2022-37423
- https://neo4j.com/docs/aura/platform/apoc/
- https://github.com/advisories/GHSA-78f9-745f-278p
Blast Radius: 0.0
Affected Packages
maven:org.neo4j.procedure:apoc
Dependent packages: 8Dependent repositories: 44
Downloads:
Affected Version Ranges: < 4.3.0.7, >= 4.4.0.0, < 4.4.0.8
Fixed in: 4.3.0.7, 4.4.0.8
All affected versions: 1.0.0, 1.1.0
All unaffected versions: