CVE-2022-23532 is a path traversal vulnerability discovered in the apoc.export.* procedures of the APOC (Awesome Procedures on Cypher) plugins in the Neo4j Graph Database. The vulnerability may allow a malicious actor to break out of the expected directory when executing an arbitrary query in an application. To exploit this vulnerability, an attacker needs access to an authenticated Neo4j client or a Cypher injection vulnerability in an application. This article will provide a detailed overview of the vulnerability, its potential impact, and recommended mitigation strategies.
Vulnerability Details
The APOC library is an add-on library for the Neo4j Graph Database, offering hundreds of procedures and functions to extend its capabilities. APOC's apoc.export.* procedures provide the functionality to export data from the database in various formats, such as CSV, JSON, and XML. These procedures expect a file path as an input parameter, where the exported data is saved.
The path traversal vulnerability in these procedures could allow an attacker with appropriate access to create files outside the expected directory. However, it's important to note that the vulnerability does not allow file overwriting. For a successful exploit, the attacker needs the ability to execute an arbitrary query either through an authenticated Neo4j client or via a Cypher injection vulnerability in an application.
Example Code Snippet
Below is an example code snippet demonstrating the path traversal vulnerability in the apoc.export.csv.query procedure:
CALL apoc.export.csv.query(
"MATCH (n) RETURN n",
"../../../../../../../../../tmp/evil.csv",
{}
)
In the above snippet, the attacker uses the "../" directory traversal characters in the file path, potentially allowing them to write the exported data to a different directory outside the anticipated one.
Affected Versions and Patches
The Neo4j team has released patches to address this vulnerability in versions 4.4..12, 4.3..12, and 5.3.1 of the APOC plugin. Users are advised to update their installations to one of these patched versions to protect their systems from this issue.
The official CVE record for this vulnerability can be found here
Neo4j's security advisory concerning this vulnerability can be accessed here
- Neo4j Security Advisory (CVE-2022-23532)
As an immediate workaround, users can take the following steps to reduce the risk of exploitation
1. Control the allowlisting of available procedures in the system by explicitly listing allowed procedures in the dbms.security.procedures.allowlist configuration option.
2. Disable local file access in the APOC configuration by setting the apoc.export.file.enabled option to false. However, this may disable the functionality of apoc.export.* procedures for legitimate use cases.
Conclusion
CVE-2022-23532 is a path traversal vulnerability in the APOC export procedures of the Neo4j Graph Database. The vulnerability may allow a malicious actor to break out of the expected directories, potentially causing unintended information exposure. Users are urged to update their installations to the patched versions of APOC (4.4..12, 4.3..12, and 5.3.1) or employ the recommended workarounds to mitigate the risk of exploitation.
Timeline
Published on: 01/14/2023 01:15:00 UTC
Last modified on: 01/24/2023 01:13:00 UTC