GHSA-h5f5-rj4r-42f6

Source

https://github.com/advisories/GHSA-h5f5-rj4r-42f6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h5f5-rj4r-42f6/GHSA-h5f5-rj4r-42f6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h5f5-rj4r-42f6

Aliases

CVE-2018-18389

Published

2018-10-17T17:31:26Z

Modified

2023-11-08T04:00:05.366349Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Incorrect access control in Neo4j Enterprise Database Server via LDAP authentication

Details

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:38:59Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Maven / org.neo4j:neo4j-enterprise

Package

Name: org.neo4j:neo4j-enterprise; View open source insights on deps.dev
Purl: pkg:maven/org.neo4j/neo4j-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.9

Affected versions

3.*

3.4.0

3.4.1

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8