CVE-2022-37423
Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
Description
### Impact A partial Directory Traversal Vulnerability found in `apoc.log.stream` function of apoc plugins in Neo4j Graph database. This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, `userControlled.getCanonicalPath().startsWith("/usr/out")` will allow an attacker to access a directory with a name like `/usr/outnot`. ### Patches The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7 ### Workarounds If you cannot upgrade the library, you can control the [allowlist of the functions](https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist) that can be used in your system ### For more information If you have any questions or comments about this advisory: - Open an issue in [neo4j-apoc-procedures](https://github.com/neo4j-contrib/neo4j-apoc-procedures) - Email us at [security@neo4j.com](mailto:security@neo4j.com) ### Credits We want to publicly recognise the contribution of [Jonathan Leitschuh](https://github.com/JLLeitschuh) for reporting this issue.
How to fix CVE-2022-37423
To remediate CVE-2022-37423, upgrade the affected package to a fixed version below.
- —upgrade to 4.4.0.8 or later
Is CVE-2022-37423 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.4.0.0, < 4.4.0.8