Description

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.

Remediation

References

https://0dd.zone/2018/10/27/neo4f-apoc-procedures-XXE/

https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931

Related Vulnerabilities

CVE-2017-14868 Vulnerability in maven package org.restlet.osgi:org.restlet

CVE-2018-1000665 Vulnerability in maven package org.dojotoolkit:dojo

CVE-2022-36887 Vulnerability in maven package org.jenkins-ci.plugins:jobconfighistory

CVE-2020-7743 Vulnerability in maven package org.webjars.bower:mathjs

CVE-2016-6794 Vulnerability in maven package org.apache.tomcat:tomcat-util-scan

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Tags

Third Party Advisory Issue Tracking Patch