GHSA-pc4w-8v5j-29w9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pc4w-8v5j-29w9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-pc4w-8v5j-29w9/GHSA-pc4w-8v5j-29w9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pc4w-8v5j-29w9
- Aliases
- Published
- 2021-09-01T18:31:29Z
- Modified
- 2023-12-06T01:01:17.295219Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Deserialization of Untrusted Data in Neo4j
- Details
-
Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.
- Database specific
{ "nvd_published_at": "2021-08-05T20:15:00Z", "github_reviewed_at": "2021-08-30T21:46:09Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-502" ] }- References
Affected packages
Maven / org.neo4j:neo4j
Package
- Name
- org.neo4j:neo4j
- View open source insights on deps.dev
- Purl
- pkg:maven/org.neo4j/neo4j
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.5.0
Affected versions
1.*
1.2.M01
1.2.M02
1.2.M03
1.2.M04
1.2.M05
1.2.M06
1.2
1.3.M01
1.3.M02
1.3.M03
1.3.M04
1.3.M05
1.3
1.4.M01
1.4.M02
1.4.M03
1.4.M04
1.4.M05
1.4.M06
1.4
1.4.1
1.4.2
1.5.M01
1.5.M02
1.5
1.5.1
1.5.2
1.5.3
1.6.M01
1.6.M02
1.6.M03
1.6
1.6.1
1.6.2
1.6.3
1.7.M01
1.7.M02
1.7.M03
1.7
1.7.1
1.7.2
1.8.M01
1.8.M02
1.8.M03
1.8.M04
1.8.M05
1.8.M06
1.8.M07
1.8.RC1
1.8
1.8.1
1.8.2
1.8.3
1.9.M01
1.9.M02
1.9.M03
1.9.M04
1.9.M05
1.9.RC1
1.9.RC2
1.9
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
2.*
2.0.0-M01
2.0.0-M02
2.0.0-M03
2.0.0-M04
2.0.0-M05
2.0.0-M06
2.0.0-RC1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.1.0-M01
2.1.0-M02
2.1.0-RC1
2.1.0-RC2
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2.0-M01
2.2.0-M02
2.2.0-M03
2.2.0-M04
2.2.0-RC01
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0-M01
2.3.0-M02
2.3.0-M03
2.3.0-RC1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.3.12
3.*
3.0.0-M01
3.0.0-M02
3.0.0-M03
3.0.0-M04
3.0.0-M05
3.0.0-RC1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.1.0-BETA1
3.1.0-M01
3.1.0-M02
3.1.0-M03
3.1.0-M04
3.1.0-M05
3.1.0-M06
3.1.0-M07
3.1.0-M08
3.1.0-M09
3.1.0-M10
3.1.0-M12-beta2
3.1.0-M13-beta3
3.1.0-RC1
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.2.0-alpha01
3.2.0-alpha02
3.2.0-alpha03
3.2.0-alpha04
3.2.0-alpha05
3.2.0-alpha06
3.2.0-alpha07
3.2.0-alpha08
3.2.0-rc1
3.2.0-rc2
3.2.0-rc3
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.3.0-alpha01
3.3.0-alpha02
3.3.0-alpha03
3.3.0-alpha04
3.3.0-alpha05
3.3.0-alpha06
3.3.0-alpha07
3.3.0-beta01
3.3.0-beta02
3.3.0-rc1
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.4.0-alpha01
3.4.0-alpha02
3.4.0-alpha03
3.4.0-alpha04
3.4.0-alpha05
3.4.0-alpha06
3.4.0-alpha07
3.4.0-alpha08
3.4.0-alpha09
3.4.0-alpha10
3.4.0-beta01
3.4.0-beta02
3.4.0-rc01
3.4.0-rc02
3.4.0
3.4.1
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.4.10
3.4.11
3.4.12
3.4.13
3.4.14
3.4.15
3.4.16
3.4.17
3.4.18
3.5.0-alpha01
3.5.0-alpha02
3.5.0-alpha03
3.5.0-alpha04
3.5.0-alpha05
3.5.0-alpha06
3.5.0-alpha07
3.5.0-alpha08
3.5.0-alpha09
3.5.0-beta01
3.5.0-beta02
3.5.0-beta03
3.5.0-rc01