=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN059
_____________________________________________________________________

DATE                : 03/02/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Neo4j Graph Database versions
                         prior to 3.5.17, 4.2.10, 4.3.0.4, 4.4.0.1.

=====================================================================
https://github.com/advisories/GHSA-4mpj-488r-vh6m
https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-4mpj-488r-vh6m
_____________________________________________________________________


Path traversal in Neo4j Graph Database
Moderate severity GitHub Reviewed

Vulnerability details

Package             org.neo4j.procedure:apoc (maven)
Affected versions   < 3.5.17
                     >= 4.2.0, < 4.2.10
                     >= 4.3.0.0, <= 4.3.0.3
                     = 4.4.0.0
Patched versions    3.5.17
                     4.2.10
                     4.3.0.4
                     4.4.0.1

Description

Impact
Directory Traversal Vulnerabilities found in several functions of apoc
plugins in Neo4j Graph database. The attacker can retrieve and download
files from outside the configured directory on the affected server.
Under some circumstances, the attacker can also create files.


Patches
The users should aim to use the latest released version compatible with
their Neo4j version. The minimum versions containing patch for this
vulnerability (for Neo4j 4.2, 4.3, and 4.4 bundled with APOC, upgrade to
the appropriate patched version):

3.5 - bundle n/a, standalone 3.5.0.17
4.2 - bundle 4.2.13, standalone 4.2.10
4.3 - bundle 4.3.9, standalone 4.3.0.4
4.4 - bundle 4.4.2, standalone 4.4.0.1


Workarounds
If you cannot upgrade the library, you can control the allowlist of the
functions that can be used in your system:


For more information
If you have any questions or comments about this advisory:

Open an issue in neo4j-apoc-procedures
Email us at security@neo4j.com


References
GHSA-4mpj-488r-vh6m


CVE ID
CVE-2021-42767

CWEs
CWE-22

CVSS Score
5.4 Moderate
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================