5.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-9vx8-f5c4-862x

EPSS Score

CWE

CWE-611

Published

2/24/2023

Updated

3/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9vx8-f5c4-862x

GHSA-9vx8-f5c4-862x: XML External Entity (XXE) vulnerability in apoc.import.graphml

Impact

A XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this.

External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application.

Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML.

Patches

The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability is 4.4.0.14.

Workarounds

If you cannot upgrade the library, you can control the allowlist of the procedures that can be used in your system.

For more information

If you have any questions or comments about this advisory:

Open an issue in neo4j-apoc-procedures
Email us at security@neo4j.com

Credits

We want to publicly recognise the contribution of Christopher Schneider – State Farm.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-9vx8-f5c4-862x

EPSS Score

CWE

CWE-611

Published

2/24/2023

Updated

3/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.neo4j.procedure:apoc	maven	< 4.4.0.14	4.4.0.14
org.neo4j.procedure:apoc	maven	>= 5.0.0, < 5.5.0	5.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the XML parser configuration in XmlGraphMLReader.java. The pre-patch code created an XMLInputFactory without disabling DTD support (SUPPORT_DTD=true) and allowed external entities (IS_SUPPORTING_EXTERNAL_ENTITIES=true). This insecure configuration is directly modified in the security patch by setting these properties to false. The parseXML method is the entry point for XML processing in the vulnerable apoc.import.graphml procedure, making it the clear attack vector. The added DTD event check and exception further confirm this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * XML *xt*rn*l *ntity (XX*) vuln*r**ility *oun* in t** *po*.import.*r*p*ml pro***ur* o* *PO* *or* plu*in in N*o*j *r*p* **t***s*. XML *xt*rn*l *ntity (XX*) inj**tion o**urs w**n t** XML p*rs*r *llows *xt*rn*l *ntiti*s to ** r*solv**. T** X

Reasoning

T** vuln*r**ility st*ms *rom t** XML p*rs*r *on*i*ur*tion in Xml*r*p*MLR****r.j*v*. T** pr*-p*t** *o** *r**t** *n XMLInput***tory wit*out *is**lin* *T* support (SUPPORT_*T*=tru*) *n* *llow** *xt*rn*l *ntiti*s (IS_SUPPORTIN*_*XT*RN*L_*NTITI*S=tru*). T

5.9

Basic Information

Concerned about an active attack path?

GHSA-9vx8-f5c4-862x: XML External Entity (XXE) vulnerability in apoc.import.graphml

Impact

Patches

Workarounds

For more information

Credits

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI