CVE-2022-37423

Name of the Vulnerable Software and Affected Versions Neo4j APOC versions 4.3.0.0 through 4.3.0.6 Neo4j APOC versions 4.4.0.0 through 4.4.0.7

Description A Directory Traversal issue exists, allowing access to sibling directories via the apoc.log.stream function. This issue is limited to sibling directories. For example, if a user-controlled path starts with "/usr/out", an attacker could access a directory named "/usr/outnot".

Recommendations For Neo4j APOC versions 4.3.0.0 through 4.3.0.6, update to version 4.3.0.7. For Neo4j APOC versions 4.4.0.0 through 4.4.0.7, update to version 4.4.0.8. As a temporary workaround, consider controlling the allowlist of functions that can be used in your system by configuring the dbms.security.procedures.allowlist setting.