GHSA-78f9-745f-278p

Source

https://github.com/advisories/GHSA-78f9-745f-278p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-78f9-745f-278p/GHSA-78f9-745f-278p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-78f9-745f-278p

Aliases

CVE-2022-37423

Published

2022-08-12T15:38:33Z

Modified

2024-11-28T05:28:06.436412Z

Summary

Neo4j Graph apoc plugins Partial Path Traversal Vulnerability

Details

Impact

A partial Directory Traversal Vulnerability found in apoc.log.stream function of apoc plugins in Neo4j Graph database. This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7

Workarounds

If you cannot upgrade the library, you can control the allowlist of the functions that can be used in your system

For more information

If you have any questions or comments about this advisory: - Open an issue in neo4j-apoc-procedures - Email us at security@neo4j.com

Credits

We want to publicly recognise the contribution of Jonathan Leitschuh for reporting this issue.

Database specific

{
    "nvd_published_at": "2022-08-12T15:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-12T15:38:33Z"
}

References

Affected packages

Maven / org.neo4j.procedure:apoc

Package

Name: org.neo4j.procedure:apoc; View open source insights on deps.dev
Purl: pkg:maven/org.neo4j.procedure/apoc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0.0

Fixed

4.4.0.8

Affected versions

4.*

4.4.0.0

4.4.0.1

4.4.0.2

4.4.0.3

4.4.0.4

4.4.0.5

4.4.0.6

4.4.0.7

Maven / org.neo4j.procedure:apoc

Package

Name: org.neo4j.procedure:apoc; View open source insights on deps.dev
Purl: pkg:maven/org.neo4j.procedure/apoc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.0.7

Affected versions

1.*

1.0.0-RC1

1.0.0

1.1.0

3.*

3.0.4.1

3.0.4.2

3.0.8.4

3.0.8.5

3.1.0.2

3.1.0.3

3.1.0.4

3.1.0.5

3.1.2.5

3.1.3.7

3.1.3.8

3.1.3.9

3.2.0.1

3.2.0.4

3.2.3.5

3.2.3.6

3.3.0.1

3.3.0.2

3.3.0.3

3.3.0.4

3.4.0.1

3.4.0.2

3.4.0.3

3.4.0.4

3.4.0.5

3.4.0.7

3.5.0.1

3.5.0.2

3.5.0.4

3.5.0.5

3.5.0.6

3.5.0.7

3.5.0.10

3.5.0.11

3.5.0.12

3.5.0.13

3.5.0.14

3.5.0.15

3.5.0.17

3.5.0.18

3.5.0.19

3.5.0.20

3.5.0.21

4.*

4.0.0-rc01

4.0.0.0

4.0.0.1

4.0.0.2

4.0.0.5

4.0.0.6

4.0.0.7

4.0.0.8

4.0.0.9

4.0.0.10

4.0.0.11

4.0.0.12

4.0.0.13

4.0.0.14

4.0.0.15

4.0.0.16

4.0.0.17

4.0.0.18

4.1.0.0

4.1.0.1

4.1.0.2

4.1.0.3

4.1.0.4

4.1.0.5

4.1.0.6

4.1.0.7

4.1.0.8

4.1.0.9

4.1.0.10

4.1.0.11

4.1.0.12

4.2.0.0

4.2.0.1

4.2.0.2

4.2.0.3

4.2.0.4

4.2.0.5

4.2.0.6

4.2.0.7

4.2.0.8

4.2.0.9

4.2.0.10

4.2.0.11

4.2.0.12

4.3.0.0

4.3.0.1

4.3.0.2

4.3.0.3

4.3.0.4

4.3.0.5

4.3.0.6