CVE-2023-23926 (GCVE-0-2023-23926)
Vulnerability from cvelistv5
Published
2023-02-16 00:00
Modified
2025-03-10 21:10
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Summary
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system.
References
Impacted products
Vendor Product Version
neo4j apoc Version: < 4.4.0.14
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:42:27.148Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/neo4j/apoc/security/advisories/GHSA-6wxg-wh7f-rqpr"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/neo4j/apoc/pull/310"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/neo4j/apoc/releases/tag/5.5.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23926",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:57:33.486411Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:10:51.401Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "apoc",
          "vendor": "neo4j",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.4.0.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-14T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/neo4j/apoc/security/advisories/GHSA-6wxg-wh7f-rqpr"
        },
        {
          "url": "https://github.com/neo4j/apoc/pull/310"
        },
        {
          "url": "https://github.com/neo4j/apoc/releases/tag/5.5.0"
        },
        {
          "url": "https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist"
        }
      ],
      "source": {
        "advisory": "GHSA-6wxg-wh7f-rqpr",
        "discovery": "UNKNOWN"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-23926",
    "datePublished": "2023-02-16T00:00:00.000Z",
    "dateReserved": "2023-01-19T00:00:00.000Z",
    "dateUpdated": "2025-03-10T21:10:51.401Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-04-14T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system.\"}], \"affected\": [{\"vendor\": \"neo4j\", \"product\": \"apoc\", \"versions\": [{\"version\": \"\u003c 4.4.0.14\", \"status\": \"affected\"}]}], \"references\": [{\"url\": \"https://github.com/neo4j/apoc/security/advisories/GHSA-6wxg-wh7f-rqpr\"}, {\"url\": \"https://github.com/neo4j/apoc/pull/310\"}, {\"url\": \"https://github.com/neo4j/apoc/releases/tag/5.5.0\"}, {\"url\": \"https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\"}}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\", \"cweId\": \"CWE-611\"}]}], \"source\": {\"advisory\": \"GHSA-6wxg-wh7f-rqpr\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:42:27.148Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/neo4j/apoc/security/advisories/GHSA-6wxg-wh7f-rqpr\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/neo4j/apoc/pull/310\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/neo4j/apoc/releases/tag/5.5.0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23926\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T20:57:33.486411Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T20:57:34.908Z\"}}]}",
      "cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2023-23926\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-10T21:10:51.401Z\", \"dateReserved\": \"2023-01-19T00:00:00.000Z\", \"datePublished\": \"2023-02-16T00:00:00.000Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.