GHSA-78f9-745f-278p

Suggest an improvement
Source
https://github.com/advisories/GHSA-78f9-745f-278p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-78f9-745f-278p/GHSA-78f9-745f-278p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-78f9-745f-278p
Aliases
Published
2022-08-12T15:38:33Z
Modified
2024-11-28T05:37:53.794141Z
Summary
Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
Details

Impact

A partial Directory Traversal Vulnerability found in apoc.log.stream function of apoc plugins in Neo4j Graph database. This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7

Workarounds

If you cannot upgrade the library, you can control the allowlist of the functions that can be used in your system

For more information

If you have any questions or comments about this advisory: - Open an issue in neo4j-apoc-procedures - Email us at security@neo4j.com

Credits

We want to publicly recognise the contribution of Jonathan Leitschuh for reporting this issue.

Database specific
{
    "nvd_published_at": "2022-08-12T15:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-12T15:38:33Z"
}
References

Affected packages

Maven / org.neo4j.procedure:apoc

Package

Name
org.neo4j.procedure:apoc
View open source insights on deps.dev
Purl
pkg:maven/org.neo4j.procedure/apoc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0.0
Fixed
4.4.0.8

Affected versions

4.*

4.4.0.0
4.4.0.1
4.4.0.2
4.4.0.3
4.4.0.4
4.4.0.5
4.4.0.6
4.4.0.7

Maven / org.neo4j.procedure:apoc

Package

Name
org.neo4j.procedure:apoc
View open source insights on deps.dev
Purl
pkg:maven/org.neo4j.procedure/apoc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.0.7

Affected versions

1.*

1.0.0-RC1
1.0.0
1.1.0

3.*

3.0.4.1
3.0.4.2
3.0.8.4
3.0.8.5
3.1.0.2
3.1.0.3
3.1.0.4
3.1.0.5
3.1.2.5
3.1.3.7
3.1.3.8
3.1.3.9
3.2.0.1
3.2.0.4
3.2.3.5
3.2.3.6
3.3.0.1
3.3.0.2
3.3.0.3
3.3.0.4
3.4.0.1
3.4.0.2
3.4.0.3
3.4.0.4
3.4.0.5
3.4.0.7
3.5.0.1
3.5.0.2
3.5.0.4
3.5.0.5
3.5.0.6
3.5.0.7
3.5.0.10
3.5.0.11
3.5.0.12
3.5.0.13
3.5.0.14
3.5.0.15
3.5.0.17
3.5.0.18
3.5.0.19
3.5.0.20
3.5.0.21

4.*

4.0.0-rc01
4.0.0.0
4.0.0.1
4.0.0.2
4.0.0.5
4.0.0.6
4.0.0.7
4.0.0.8
4.0.0.9
4.0.0.10
4.0.0.11
4.0.0.12
4.0.0.13
4.0.0.14
4.0.0.15
4.0.0.16
4.0.0.17
4.0.0.18
4.1.0.0
4.1.0.1
4.1.0.2
4.1.0.3
4.1.0.4
4.1.0.5
4.1.0.6
4.1.0.7
4.1.0.8
4.1.0.9
4.1.0.10
4.1.0.11
4.1.0.12
4.2.0.0
4.2.0.1
4.2.0.2
4.2.0.3
4.2.0.4
4.2.0.5
4.2.0.6
4.2.0.7
4.2.0.8
4.2.0.9
4.2.0.10
4.2.0.11
4.2.0.12
4.3.0.0
4.3.0.1
4.3.0.2
4.3.0.3
4.3.0.4
4.3.0.5
4.3.0.6