Skip to content

Neo4j Graph apoc plugins Partial Path Traversal Vulnerability

Moderate severity GitHub Reviewed Published Aug 11, 2022 in neo4j-contrib/neo4j-apoc-procedures • Updated Jan 27, 2023

Package

maven org.neo4j.procedure:apoc (Maven)

Affected versions

>= 4.4.0.0, < 4.4.0.8
< 4.3.0.7

Patched versions

4.4.0.8
4.3.0.7

Description

Impact

A partial Directory Traversal Vulnerability found in apoc.log.stream function of apoc plugins in Neo4j Graph database.
This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7

Workarounds

If you cannot upgrade the library, you can control the allowlist of the functions that can be used in your system

For more information

If you have any questions or comments about this advisory:

Credits

We want to publicly recognise the contribution of Jonathan Leitschuh for reporting this issue.

References

@ncordon ncordon published to neo4j-contrib/neo4j-apoc-procedures Aug 11, 2022
Published by the National Vulnerability Database Aug 12, 2022
Published to the GitHub Advisory Database Aug 12, 2022
Reviewed Aug 12, 2022
Last updated Jan 27, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2022-37423

GHSA ID

GHSA-78f9-745f-278p

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.