CVE-2021-42767

Source
https://cve.org/CVERecord?id=CVE-2021-42767
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42767.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-42767
Aliases
Published
2022-03-01T02:15:07.370Z
Modified
2026-07-09T10:01:21.072784Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. This is fixed in 3.5.17, 4.2.10, 4.3.0.4, and 4.4.0.1.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:neo4j:awesome_procedures:*:*:*:*:*:neo4j:*:*"
            ],
            "vendor_product": "neo4j:awesome_procedures",
            "source": "CPE_RANGE",
            "extracted_events": [
                {
                    "introduced": "4.2.0.0"
                },
                {
                    "fixed": "4.2.10"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/neo4j-contrib/neo4j-apoc-procedures

Affected ranges

Type
GIT
Repo
https://github.com/neo4j-contrib/neo4j-apoc-procedures
Events
Database specific
{
    "cpe": "cpe:2.3:a:neo4j:awesome_procedures:*:*:*:*:*:neo4j:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.5.0.17"
        },
        {
            "introduced": "4.3.0.0"
        },
        {
            "fixed": "4.3.0.4"
        },
        {
            "introduced": "4.4.0.0"
        },
        {
            "fixed": "4.4.0.1"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-RC1
1.1.0
3.*
3.0.4.1
3.1.0.1
3.1.0.2
3.1.0.3
3.1.0.4
3.1.2.5
3.1.3.6
3.2.0.3
3.2.0.4
3.3.0.1
3.3.0.2
3.4.0.1
3.4.0.2
3.4.0.3
3.5.0.0
3.5.0.1
3.5.0.11
3.5.0.12
3.5.0.13
3.5.0.14
3.5.0.15
3.5.0.15-fix
3.5.0.16
3.5.0.2
3.5.0.3
3.5.0.4
3.5.0.5
3.5.0.6
3.5.0.7
3.5.0.8
3.5.0.9
4.*
4.3.0.0
4.3.0.1
4.3.0.2
4.3.0.3
4.4.0.0

Database specific

vanir_signatures
[
    {
        "digest": {
            "function_hash": "207802441921537204896901189403421172352",
            "length": 891.0
        },
        "id": "CVE-2021-42767-1dfd6a10",
        "deprecated": false,
        "target": {
            "function": "loadCsvForMetric",
            "file": "full/src/main/java/apoc/metrics/Metrics.java"
        },
        "signature_type": "Function",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "148235860615581967438097351628586614164",
            "length": 158.0
        },
        "id": "CVE-2021-42767-6b23d2f3",
        "deprecated": false,
        "target": {
            "function": "shouldListMetrics",
            "file": "full/src/test/java/apoc/metrics/MetricsTest.java"
        },
        "signature_type": "Function",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "182662720706030460458167050211698383750",
            "length": 776.0
        },
        "id": "CVE-2021-42767-7a4dff55",
        "deprecated": false,
        "target": {
            "function": "beforeAll",
            "file": "full/src/test/java/apoc/metrics/MetricsTest.java"
        },
        "signature_type": "Function",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "281692202849863382705659314443838687303",
            "length": 103.0
        },
        "id": "CVE-2021-42767-81b2b801",
        "deprecated": false,
        "target": {
            "function": "createURLStreamHandler",
            "file": "core/src/main/java/apoc/util/ApocUrlStreamHandlerFactory.java"
        },
        "signature_type": "Function",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "118724760598893317982475357391888250702",
                "42787929835364742382331780057433172078",
                "16470593785582350785397032901801234475"
            ]
        },
        "id": "CVE-2021-42767-8598f591",
        "deprecated": false,
        "target": {
            "file": "core/src/main/java/apoc/util/ApocUrlStreamHandlerFactory.java"
        },
        "signature_type": "Line",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "95193999362841661895289845896028243311",
                "261693692348930040984612887687535111589",
                "245119315153008729244130802157176054276",
                "312228315934111725499004949396862767107"
            ]
        },
        "id": "CVE-2021-42767-9882e414",
        "deprecated": false,
        "target": {
            "file": "full/src/main/java/apoc/metrics/Metrics.java"
        },
        "signature_type": "Line",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "326407374985357365592746360777064624085",
                "197118873685740969565063317695628189996",
                "112294612097618583592768992805148845109",
                "164547746798137424238900755296927338998",
                "126078213229550900351017173744347645068",
                "135150134212647040508387277717315844543",
                "332306860352394965052039383555502549879",
                "162764096537427463671519790558088939497",
                "221997739649930657196741760142003088791",
                "55687417267536926984773132019460202768",
                "289327744451055700867636982514277268897",
                "151103724863842922547844729830969069402",
                "115645540087760266184531019474230504491",
                "168158000555892453138181644095029972025",
                "169871252963711939556104895977598583812",
                "76255239339210194307863618699059398263",
                "50821939529835205129435492129792887666",
                "114034237037236198280404289766811056715",
                "125866287381025221960492068262448416556",
                "298411769115905202885627970124493109980",
                "254213154127773681350157233177394834828",
                "184424694594279896009214389812614281830",
                "46707607899408460326253782815611406143",
                "317896526428701706407315656040695414705",
                "250640465049932201846732307601903714749"
            ]
        },
        "id": "CVE-2021-42767-cddbee72",
        "deprecated": false,
        "target": {
            "file": "full/src/test/java/apoc/metrics/MetricsTest.java"
        },
        "signature_type": "Line",
        "source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/52a0958220ed2998225bce4548636a037ed9d16a",
        "signature_version": "v1"
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42767.json"
vanir_signatures_modified
"2026-07-09T10:01:21Z"