CVE-2022-37423: 
Java vulnerability analysis and mitigation

Neo4j APOC (Awesome Procedures on Cypher) before versions 4.3.0.7 and 4.x before 4.4.0.8 was found to contain a partial Directory Traversal vulnerability. The vulnerability was discovered in August 2022 and was assigned identifier CVE-2022-37423. The vulnerability specifically affects the apoc.log.stream function within the APOC plugins of the Neo4j Graph database (Neo4j Advisory).

The vulnerability allows malicious actors to potentially break out of the expected directory through directory traversal. The impact is limited to sibling directories. For example, if a path check uses userControlled.getCanonicalPath().startsWith("/usr/out"), an attacker could access a directory with a name like /usr/outnot, effectively bypassing the intended directory restrictions (Neo4j Advisory).

The vulnerability enables attackers to access directories that should be restricted, specifically allowing access to sibling directories of the intended directory path. This could potentially lead to unauthorized access to sensitive files or information stored in adjacent directories (Neo4j Advisory).

Users are advised to upgrade to the patched versions: 4.4.0.8 or 4.3.0.7, depending on their Neo4j version. For users unable to upgrade, a workaround is available through controlling the allowlist of functions that can be used in the system (Neo4j Advisory).