[MAVEN:GHSA-78F9-745F-278P] Neo4j Graph apoc plugins Partial Path Traversal Vulnerability

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

Impact

A partial Directory Traversal Vulnerability found in apoc.log.stream function of apoc plugins in Neo4j Graph database.
This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7

Workarounds

If you cannot upgrade the library, you can control the allowlist of the functions that can be used in your system

For more information

If you have any questions or comments about this advisory:
- Open an issue in neo4j-apoc-procedures
- Email us at security@neo4j.com

Credits

We want to publicly recognise the contribution of Jonathan Leitschuh for reporting this issue.

Package	Affected Version
pkg:maven/org.neo4j.procedure/apoc	< 4.3.0.7
pkg:maven/org.neo4j.procedure/apoc	>= 4.4.0.0, < 4.4.0.8

Package	Fixed Version
pkg:maven/org.neo4j.procedure/apoc	= 4.3.0.7
pkg:maven/org.neo4j.procedure/apoc	= 4.4.0.8

ID: MAVEN:GHSA-78F9-745F-278P
Severity: moderate
URL: https://github.com/advisories/GHSA-78f9-745f-278p
Published: 2022-08-12T15:38:33
(2 years ago)
Modified: 2023-01-27T05:06:04
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-78f9-745f-278p
			https://github.com/neo4j-contrib/neo4j-apoc-procedures/pull/3080
			https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/d2f415c6f703bbc2cda4a753928821ff15d5c620
			https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/fe9f8c77269f5a742585c1d62324eb70755de510
			https://nvd.nist.gov/vuln/detail/CVE-2022-37423
			https://neo4j.com/docs/aura/platform/apoc/
			https://github.com/advisories/GHSA-78f9-745f-278p

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.neo4j.procedure/apoc	org.neo4j.procedure	apoc	< 4.3.0.7
Fixed	pkg:maven/org.neo4j.procedure/apoc	org.neo4j.procedure	apoc	= 4.3.0.7
Affected	pkg:maven/org.neo4j.procedure/apoc	org.neo4j.procedure	apoc	>= 4.4.0.0 < 4.4.0.8
Fixed	pkg:maven/org.neo4j.procedure/apoc	org.neo4j.procedure	apoc	= 4.4.0.8

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date