Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Vulnerability Title
Neo4j 代码问题漏洞
Vulnerability Description
Neo4j是美国Neo4j公司的一款基于Java的且完全兼容ACID的图形数据库,它支持数据迁移、附加组件等。 Neo4j 5.5.0之前版本存在代码问题漏洞,该漏洞源于存在XML外部实体(XXE)漏洞,攻击者利用该漏洞可以读取本地文件、发送 HTTP请求以及对应用程序执行拒绝服务攻击。
CVSS Information
N/A
Vulnerability Type
N/A