GHSA-78F9-745F-278P

Vulnerability from github – Published: 2022-08-12 15:38 – Updated: 2022-08-12 15:38
VLAI?
Summary
Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
Details

Impact

A partial Directory Traversal Vulnerability found in apoc.log.stream function of apoc plugins in Neo4j Graph database. This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7

Workarounds

If you cannot upgrade the library, you can control the allowlist of the functions that can be used in your system

For more information

If you have any questions or comments about this advisory: - Open an issue in neo4j-apoc-procedures - Email us at security@neo4j.com

Credits

We want to publicly recognise the contribution of Jonathan Leitschuh for reporting this issue.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.neo4j.procedure:apoc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0.0"
            },
            {
              "fixed": "4.4.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.neo4j.procedure:apoc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-12T15:38:33Z",
    "nvd_published_at": "2022-08-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA partial Directory Traversal Vulnerability found in `apoc.log.stream` function of apoc plugins in Neo4j Graph database. \nThis issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, `userControlled.getCanonicalPath().startsWith(\"/usr/out\")` will allow an attacker to access a directory with a name like `/usr/outnot`.\n\n### Patches\nThe users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7\n\n### Workarounds\nIf you cannot upgrade the library, you can control the [allowlist of the functions](https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist) that can be used in your system\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in [neo4j-apoc-procedures](https://github.com/neo4j-contrib/neo4j-apoc-procedures)\n- Email us at [security@neo4j.com](mailto:security@neo4j.com)\n\n### Credits\nWe want to publicly recognise the contribution of [Jonathan Leitschuh](https://github.com/JLLeitschuh) for reporting this issue.\n ",
  "id": "GHSA-78f9-745f-278p",
  "modified": "2022-08-12T15:38:33Z",
  "published": "2022-08-12T15:38:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-78f9-745f-278p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37423"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/pull/3080"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/d2f415c6f703bbc2cda4a753928821ff15d5c620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/fe9f8c77269f5a742585c1d62324eb70755de510"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures"
    },
    {
      "type": "WEB",
      "url": "https://neo4j.com/docs/aura/platform/apoc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Neo4j Graph apoc plugins Partial Path Traversal Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.