CVE-2022-23532
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-23532
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23532.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-23532
- Aliases
- Published
- 2023-01-14T00:29:27Z
- Modified
- 2025-11-04T19:47:24.366416Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
- Summary
- neo4j-apoc-procedures is vulnerable to path traversal
- Details
-
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The minimum versions containing patch for this vulnerability are 4.4.0.12 and 4.3.0.12 and 5.3.1. As a workaround, you can control the allowlist of the procedures that can be used in your system, and/or turn off local file access by setting apoc.export.file.enabled=false.
- Database specific
{ "cwe_ids": [ "CWE-22" ] }- References
Affected packages
Git / github.com/neo4j-contrib/neo4j-apoc-procedures
Affected ranges
Affected versions
1.*
1.0.0
1.0.0-RC1
1.1.0
3.*
3.0.4.1
3.1.0.1
3.1.0.2
3.1.0.3
3.1.0.4
3.1.2.5
3.1.3.6
3.2.0.3
3.2.0.4
3.3.0.1
3.3.0.2
3.4.0.1
3.4.0.2
3.4.0.3
3.5.0.0
3.5.0.1
3.5.0.2
3.5.0.3
3.5.0.4
4.*
4.0.0-rc01
4.0.0.0
4.0.0.1
4.0.0.2
4.0.0.3
4.0.0.4
4.0.0.5
4.1.0-rc01
4.1.0.0
4.2.0-rc01
4.3.0-rc01
4.3.0-rc03
4.3.0-rc2
4.3.0.0
4.3.0.1
4.3.0.10
4.3.0.11
4.3.0.2
4.3.0.3
4.3.0.4
4.3.0.5
4.3.0.6
4.3.0.7
4.3.0.8
4.3.0.9
4.4.0.0
4.4.0.1
4.4.0.10
4.4.0.11
4.4.0.2
4.4.0.3
4.4.0.4
4.4.0.5
4.4.0.6
4.4.0.7
4.4.0.8
4.4.0.9
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"digest": {
"function_hash": "125603981907569865654376026950174603736",
"length": 113.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "before"
},
"signature_version": "v1",
"id": "CVE-2022-23532-0d081c80",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "331146373502642871023288236005918773036",
"length": 493.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalExternalFSAccessExportCypherSchema"
},
"signature_version": "v1",
"id": "CVE-2022-23532-1a58d58c",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "51243404849253300005958827813812241718",
"length": 513.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalExternalFSAccessExport"
},
"signature_version": "v1",
"id": "CVE-2022-23532-258013bf",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"228696445642692742056248745254157019675",
"237126454435447301373036058439697399819",
"56384322106685698032703438205582389575",
"249785202943595926286073137641637073305",
"108438418440213486138681248968095209686",
"121083085338307741706588771918610388546",
"230669054361424972402008138498596704076",
"144850101397770442656910588161289177718",
"311138120982836295692335356984652609393",
"9063828842068165587570622217922886600",
"310938742158442666879462905878516360672",
"297462143656649105801883980381315892989",
"278800604900287908997659655343210930405",
"224150053262586997513158230621530908542",
"328821932072742563023872540801478558584",
"42934235177212470162596445924131291160",
"67575176623690425660354344460452020294",
"126124724329177935767546522178575657804",
"307713925426529309816415526731601904641",
"316970779047674352469054267181752758579",
"297798801053589736594402753675520130389",
"180108872178308418664097868956849103142",
"39570659441744639231408489133403306038",
"187581959474017227096025168908480758589",
"146919715902212813032985945401881853157",
"338430668754647710640235437147049172777",
"154430794130870563939753491563272220705",
"171087413127019683467740972842782106257",
"230838980591232679079019057255735184461",
"143049384383252422882035718015268031287",
"95671105534633914134235097238970667089",
"300221057545632517166923658115326165495",
"94065512171721444354734529130807818531",
"219164533724680653900239413987807040289",
"212317242353248121529336693577739405863",
"281720325568596989910124568836980081258",
"218067308975180249193974780284426771635",
"129480814479799428862614576667587820",
"81553907837153698912251075909507039198",
"268769538768810312088783226987062980553",
"40111872216769316161300180191456563143",
"199423281510751146144165927835096165187",
"109570564802192836801630025890295947069",
"143051978700686101906772650481306841731",
"310674980419252880676961051763257500527",
"35505177969405184917966537937641496125",
"281720325568596989910124568836980081258",
"56079175371047265776468270526704963146",
"15818728939083648980733130783226718639",
"311551896917383399259119672233980576145",
"302446397676523583298829652911839762545",
"189799252347574416785200507019485734996",
"221835405058128530890787981464264898481",
"96317390317579089307191351306508598895",
"289400658115889902378056500650842657648",
"114181047077667019368919672466053348313",
"72302066766845700653279904488222793945",
"312855055144450379993876387350625459065",
"138599781398894094565945876461434933735",
"260929842747220122159688155558981293084",
"127581155355758329357831155972107405093",
"305553231410318114955216386671693637814",
"221048039385668193406677045540216423093",
"218067308975180249193974780284426771635",
"129480814479799428862614576667587820",
"81553907837153698912251075909507039198",
"299543172711189079598323079295395967886",
"46491315635720102608213416791106440202",
"240582334678524031395788255381573130573",
"259647019402030349451695775114183332478",
"182855971743082333869327090140069139271",
"223576541246793499367115954544050808982",
"297447172436346944600008200253639162201",
"77117275757361377945127525551264414101",
"56079175371047265776468270526704963146",
"15818728939083648980733130783226718639",
"311551896917383399259119672233980576145",
"302446397676523583298829652911839762545",
"189799252347574416785200507019485734996",
"221835405058128530890787981464264898481",
"303309462969419743235686602683026967399"
]
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java"
},
"signature_version": "v1",
"id": "CVE-2022-23532-3456c1bf",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "284001039641254320126845350184018080322",
"length": 263.0
},
"target": {
"file": "core/src/main/java/apoc/util/FileUtils.java",
"function": "pathStartsWithOther"
},
"signature_version": "v1",
"id": "CVE-2022-23532-4dcf2aed",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "110056529070005092714950464435496921578",
"length": 132.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "setUp"
},
"signature_version": "v1",
"id": "CVE-2022-23532-4df232cd",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"32163557282538032961987188898701040024",
"67905414060046092217653023143122207509",
"189523069977727151526648977241492946852",
"17110582667471567072885501945729293016",
"218214667566303000638984485040658349819",
"185636094890230885986079503691434086295",
"332530751360276222814570377252930005465",
"204859862963733976443673468097410831370",
"165376998638511950284638186569305211054",
"151544603768681670081871197764960114602",
"200424495653110746519461183304050476473"
]
},
"target": {
"file": "core/src/main/java/apoc/util/FileUtils.java"
},
"signature_version": "v1",
"id": "CVE-2022-23532-590ddaf7",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "59585330581707235520374325695537515808",
"length": 317.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalFSAccessExport"
},
"signature_version": "v1",
"id": "CVE-2022-23532-67228d0a",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "284001039641254320126845350184018080322",
"length": 263.0
},
"target": {
"file": "core/src/main/java/apoc/util/FileUtils.java",
"function": "pathStartsWithOther"
},
"signature_version": "v1",
"id": "CVE-2022-23532-67b8daee",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"239693201757504816575483908818576769194",
"188151663685397805826354933676899658025",
"63764959913668833150386784167511227492",
"314839661301975344694721963469622469600",
"67575176623690425660354344460452020294"
]
},
"target": {
"file": "core/src/test/java/apoc/export/csv/ExportCsvTest.java"
},
"signature_version": "v1",
"id": "CVE-2022-23532-736e7340",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"239693201757504816575483908818576769194",
"188151663685397805826354933676899658025",
"63764959913668833150386784167511227492",
"314839661301975344694721963469622469600",
"67575176623690425660354344460452020294"
]
},
"target": {
"file": "core/src/test/java/apoc/export/csv/ExportCsvTest.java"
},
"signature_version": "v1",
"id": "CVE-2022-23532-74ec5152",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "82626091029078126676784784822675223315",
"length": 296.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalFSAccessExportCypherSchema"
},
"signature_version": "v1",
"id": "CVE-2022-23532-8054708e",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "331146373502642871023288236005918773036",
"length": 493.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalExternalFSAccessExportCypherSchema"
},
"signature_version": "v1",
"id": "CVE-2022-23532-a225ea55",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "51243404849253300005958827813812241718",
"length": 513.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalExternalFSAccessExport"
},
"signature_version": "v1",
"id": "CVE-2022-23532-a5df0a45",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "125603981907569865654376026950174603736",
"length": 113.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "after"
},
"signature_version": "v1",
"id": "CVE-2022-23532-a76e3480",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "17412666049559948970567866197675854082",
"length": 448.0
},
"target": {
"file": "core/src/main/java/apoc/util/FileUtils.java",
"function": "getPath"
},
"signature_version": "v1",
"id": "CVE-2022-23532-aa9999e2",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "110056529070005092714950464435496921578",
"length": 132.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "setUp"
},
"signature_version": "v1",
"id": "CVE-2022-23532-aead2c74",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "82626091029078126676784784822675223315",
"length": 296.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalFSAccessExportCypherSchema"
},
"signature_version": "v1",
"id": "CVE-2022-23532-b02e6f80",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "17412666049559948970567866197675854082",
"length": 448.0
},
"target": {
"file": "core/src/main/java/apoc/util/FileUtils.java",
"function": "getPath"
},
"signature_version": "v1",
"id": "CVE-2022-23532-b6aea6e2",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"32163557282538032961987188898701040024",
"67905414060046092217653023143122207509",
"189523069977727151526648977241492946852",
"17110582667471567072885501945729293016",
"218214667566303000638984485040658349819",
"185636094890230885986079503691434086295",
"332530751360276222814570377252930005465",
"204859862963733976443673468097410831370",
"165376998638511950284638186569305211054",
"151544603768681670081871197764960114602",
"200424495653110746519461183304050476473"
]
},
"target": {
"file": "core/src/main/java/apoc/util/FileUtils.java"
},
"signature_version": "v1",
"id": "CVE-2022-23532-cb64c4da",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"228696445642692742056248745254157019675",
"237126454435447301373036058439697399819",
"56384322106685698032703438205582389575",
"249785202943595926286073137641637073305",
"108438418440213486138681248968095209686",
"121083085338307741706588771918610388546",
"230669054361424972402008138498596704076",
"144850101397770442656910588161289177718",
"311138120982836295692335356984652609393",
"9063828842068165587570622217922886600",
"310938742158442666879462905878516360672",
"297462143656649105801883980381315892989",
"278800604900287908997659655343210930405",
"224150053262586997513158230621530908542",
"328821932072742563023872540801478558584",
"42934235177212470162596445924131291160",
"67575176623690425660354344460452020294",
"126124724329177935767546522178575657804",
"307713925426529309816415526731601904641",
"316970779047674352469054267181752758579",
"297798801053589736594402753675520130389",
"180108872178308418664097868956849103142",
"39570659441744639231408489133403306038",
"187581959474017227096025168908480758589",
"146919715902212813032985945401881853157",
"338430668754647710640235437147049172777",
"154430794130870563939753491563272220705",
"171087413127019683467740972842782106257",
"230838980591232679079019057255735184461",
"143049384383252422882035718015268031287",
"95671105534633914134235097238970667089",
"300221057545632517166923658115326165495",
"94065512171721444354734529130807818531",
"219164533724680653900239413987807040289",
"212317242353248121529336693577739405863",
"281720325568596989910124568836980081258",
"218067308975180249193974780284426771635",
"129480814479799428862614576667587820",
"81553907837153698912251075909507039198",
"268769538768810312088783226987062980553",
"40111872216769316161300180191456563143",
"199423281510751146144165927835096165187",
"109570564802192836801630025890295947069",
"143051978700686101906772650481306841731",
"310674980419252880676961051763257500527",
"35505177969405184917966537937641496125",
"281720325568596989910124568836980081258",
"56079175371047265776468270526704963146",
"15818728939083648980733130783226718639",
"311551896917383399259119672233980576145",
"302446397676523583298829652911839762545",
"189799252347574416785200507019485734996",
"221835405058128530890787981464264898481",
"96317390317579089307191351306508598895",
"289400658115889902378056500650842657648",
"114181047077667019368919672466053348313",
"72302066766845700653279904488222793945",
"312855055144450379993876387350625459065",
"138599781398894094565945876461434933735",
"260929842747220122159688155558981293084",
"127581155355758329357831155972107405093",
"305553231410318114955216386671693637814",
"221048039385668193406677045540216423093",
"218067308975180249193974780284426771635",
"129480814479799428862614576667587820",
"81553907837153698912251075909507039198",
"299543172711189079598323079295395967886",
"46491315635720102608213416791106440202",
"240582334678524031395788255381573130573",
"259647019402030349451695775114183332478",
"182855971743082333869327090140069139271",
"223576541246793499367115954544050808982",
"297447172436346944600008200253639162201",
"77117275757361377945127525551264414101",
"56079175371047265776468270526704963146",
"15818728939083648980733130783226718639",
"311551896917383399259119672233980576145",
"302446397676523583298829652911839762545",
"189799252347574416785200507019485734996",
"221835405058128530890787981464264898481",
"303309462969419743235686602683026967399"
]
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java"
},
"signature_version": "v1",
"id": "CVE-2022-23532-d159fb3d",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "125603981907569865654376026950174603736",
"length": 113.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "after"
},
"signature_version": "v1",
"id": "CVE-2022-23532-db95c74b",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "125603981907569865654376026950174603736",
"length": 113.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "before"
},
"signature_version": "v1",
"id": "CVE-2022-23532-f09426da",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "59585330581707235520374325695537515808",
"length": 317.0
},
"target": {
"file": "core/src/test/java/apoc/export/ExportCoreSecurityTest.java",
"function": "testIllegalFSAccessExport"
},
"signature_version": "v1",
"id": "CVE-2022-23532-fd14b7a5",
"deprecated": false,
"source": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"
}
]