CVE-2023-23926: 
Java vulnerability analysis and mitigation

An XML External Entity (XXE) vulnerability (CVE-2023-23926) was discovered in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14. The vulnerability was disclosed on February 16, 2023, affecting Neo4j graph database's APOC core plugin (GitHub Advisory).

The vulnerability occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured securely, allowing external entities to be processed. This vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Moderate) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H (GitHub Advisory).

The vulnerability could be exploited to read local files remotely, although this was limited to one-line files with standard privileges. With database write privileges, any file could potentially be read. Additionally, the server could be crashed by passing improperly formatted XML, leading to denial-of-service conditions (GitHub Advisory).

Users should upgrade to APOC core plugin version 5.5.0 or 4.4.0.14 or later, which contain the security fix. If upgrading is not possible, users can control the allowlist of procedures that can be used in their system to restrict access to the vulnerable procedure (GitHub Advisory).