GHSA-h5f5-rj4r-42f6

Suggest an improvement
Source
https://github.com/advisories/GHSA-h5f5-rj4r-42f6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h5f5-rj4r-42f6/GHSA-h5f5-rj4r-42f6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h5f5-rj4r-42f6
Aliases
Published
2018-10-17T17:31:26Z
Modified
2023-11-01T04:49:12.959896Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Incorrect access control in Neo4j Enterprise Database Server via LDAP authentication
Details

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:38:59Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Maven / org.neo4j:neo4j-enterprise

Package

Name
org.neo4j:neo4j-enterprise
View open source insights on deps.dev
Purl
pkg:maven/org.neo4j/neo4j-enterprise

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.0
Fixed
3.4.9

Affected versions

3.*

3.4.0
3.4.1
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8