Package Instance

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The minimum versions containing patch for this vulnerability are 4.4.0.12 and 4.3.0.12 and 5.3.1. As a workaround, you can control the allowlist of the procedures that can be used in your system, and/or turn off local file access by setting apoc.export.file.enabled=false.

Improper Restriction of XML External Entity Reference
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC plugin prior to version 4.4.0.14 in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 4.4.0.14. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system.

Duplicate
This advisory duplicates another.

Improper Restriction of XML External Entity Reference
neo4j-apoc-procedures contains an XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
### Impact
A partial Directory Traversal Vulnerability found in `apoc.log.stream` function of apoc plugins in Neo4j Graph database. 
This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, `userControlled.getCanonicalPath().startsWith("/usr/out")` will allow an attacker to access a directory with a name like `/usr/outnot`.

### Patches
The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7

### Workarounds
If you cannot upgrade the library, you can control the [allowlist of the functions](https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist) that can be used in your system


### For more information
If you have any questions or comments about this advisory:
- Open an issue in [neo4j-apoc-procedures](https://github.com/neo4j-contrib/neo4j-apoc-procedures)
- Email us at [security@neo4j.com](mailto:security@neo4j.com)

### Credits
We want to publicly recognise the contribution of [Jonathan Leitschuh](https://github.com/JLLeitschuh) for reporting this issue.