CVE-2021-42767: 
Java vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2021-42767) was discovered in the apoc plugins in Neo4J Graph database before version 4.4.0.1. The vulnerability was disclosed in February 2022 and affects multiple versions of the Neo4J Graph database. The issue allows attackers to read local files, and in some cases, create local files on the affected system. The vulnerability has been fixed in versions 3.5.17, 4.2.10, 4.3.0.4, and 4.4.0.1 (NVD, GitHub Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 base score of 9.1 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue allows attackers to retrieve and download files from outside the configured directory on the affected server, and under certain circumstances, create files as well (GitHub Advisory, NVD).

The vulnerability enables attackers to access and read files from outside the intended directory structure, potentially exposing sensitive information. Additionally, in some cases, attackers can create files on the affected system, which could lead to further system compromise (GitHub Advisory).

Users should upgrade to the patched versions: 3.5.17 for Neo4j 3.5, 4.2.10 for Neo4j 4.2, 4.3.0.4 for Neo4j 4.3, or 4.4.0.1 for Neo4j 4.4. For those unable to upgrade immediately, a workaround is available by controlling the allowlist of the functions that can be used in the system (GitHub Advisory).

The vulnerability was responsibly disclosed by Nicolai Grødum from the Red Team of PwC Norway, following the responsible disclosure policy (GitHub Advisory).