Skip to content

XML External Entity (XXE) vulnerability in apoc.import.graphml

Moderate
nadja-muller published GHSA-9vx8-f5c4-862x Feb 24, 2023

Package

maven org.neo4j.procedure:apoc (Maven)

Affected versions

<4.4.0.14

Patched versions

4.4.0.14

Description

Impact

A XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this.

External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application.

Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability is 4.4.0.14.

Workarounds

If you cannot upgrade the library, you can control the allowlist of the procedures that can be used in your system.

For more information

If you have any questions or comments about this advisory:

Credits

We want to publicly recognise the contribution of Christopher Schneider – State Farm.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H

CVE ID

CVE-2023-23926

Weaknesses