CVE-2021-34371 – org.neo4j:neo4j

Package

Manager: maven
Name: org.neo4j:neo4j
Vulnerable Version: >=0 <3.5.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.68071 pctl0.98542

Details

Deserialization of Untrusted Data in Neo4j Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Metadata

Created: 2021-09-01T18:31:29Z
Modified: 2021-08-30T21:46:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-pc4w-8v5j-29w9/GHSA-pc4w-8v5j-29w9.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-pc4w-8v5j-29w9
Finding: F096
Auto approve: 1