CVE-2021-34371
Deserialization of Untrusted Data in Neo4j
9.8
CRITICAL
CVSS 3.1
EPSS 68.1%
Description
Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.
How to fix CVE-2021-34371
To remediate CVE-2021-34371, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.19 or later
- —upgrade to 3.5.0 or later
Is CVE-2021-34371 being exploited?
Likely — EPSS is 68.1%, placing CVE-2021-34371 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 3.4.19
- from 0, < 3.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |