CVE-2022-23532: 
Java vulnerability analysis and mitigation

APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability (CVE-2022-23532) was discovered in the apoc.export.* procedures of APOC plugins in Neo4j Graph database. The vulnerability was disclosed on January 13, 2023, affecting versions prior to 4.3.0.12 and 4.4.0.12 (NVD, GitHub Advisory).

The vulnerability allows a malicious actor to potentially break out of the expected directory through path traversal. The issue is specifically related to file handling in the apoc.export.* procedures. The CVSS v3.1 base score is 7.1 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (GitHub Advisory).

The vulnerability allows files to be created but not overwritten in unauthorized directories. For exploitation, an attacker would need either access to an authenticated Neo4j client or a Cypher injection vulnerability in an application. The procedure would also need to be allowlisted in the Neo4j configuration and have apoc.export.file.enabled set to true (GitHub Advisory).

The vulnerability has been patched in versions 4.3.0.12, 4.4.0.12, and 5.3.1. Users should upgrade to these minimum versions or later releases compatible with their Neo4j version. For those unable to upgrade, workarounds include controlling the allowlist of procedures that can be used in the system and/or disabling local file access by setting apoc.export.file.enabled=false (GitHub Advisory).

The vulnerability was responsibly disclosed and patched, with credit given to Adam Reziouk from Airbus for discovering the vulnerability (GitHub Advisory).