CVE-2023-23926

Name of the Vulnerable Software and Affected Versions APOC versions prior to 5.5.0 APOC versions 4.4.0 through 4.4.0.13

Description A XML External Entity (XXE) vulnerability was found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. This occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way, allowing external entities to be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely, although this was limited to one-line files due to the level of privileges assessors had. With the ability to write to the database, any file could have been read. Additionally, assessors noted that the server could be crashed by passing in improperly formatted XML.

Recommendations For APOC versions prior to 5.5.0, update to version 5.5.0 or later. For APOC versions 4.4.0 through 4.4.0.13, update to version 4.4.0.14 or later. If you cannot upgrade the library, control the allowlist of the procedures that can be used in your system.