Description
Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.
Remediation
References
https://www.exploit-db.com/exploits/50170
Related Vulnerabilities
CVE-2019-20503 Vulnerability in npm package electron
CVE-2021-27515 Vulnerability in maven package org.webjars.npm:url-parse
CVE-2019-5447 Vulnerability in npm package http-file-server
CVE-2020-7700 Vulnerability in npm package phpjs
CVE-2019-1003030 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps