GHSA-9vx8-f5c4-862x: 
Java vulnerability analysis and mitigation

A XML External Entity (XXE) vulnerability (GHSA-9vx8-f5c4-862x) was discovered in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. The vulnerability affects versions prior to 4.4.0.14 and versions 5.0.0 to 5.5.0 (excluding 5.5.0) of the org.neo4j.procedure:apoc Maven package. The issue was disclosed on February 24, 2023, and was assigned a moderate severity rating with a CVSS score of 5.9 (GitHub Advisory).

The vulnerability occurs when the XML parser allows external entities to be resolved, as it was not configured securely in the apoc.import.graphml procedure. The issue has been assigned CWE-611 (Improper Restriction of XML External Entity Reference) and has a CVSS v3.1 base score of 5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H). The attack vector is network-based, requiring high attack complexity and low privileges, with no user interaction needed (GitHub Advisory).

The vulnerability enables attackers to read local files remotely, although with limited privileges this was restricted to one-line files. With database write privileges, any file could potentially be read. Additionally, the server could be crashed by passing improperly formatted XML, leading to potential denial-of-service attacks (GitHub Advisory).

Users should upgrade to version 4.4.0.14 or 5.5.0, depending on their Neo4j version. For those unable to upgrade, a workaround is available by controlling the allowlist of procedures that can be used in the system. The vulnerability was patched by securing the XML parser configuration against XXE attacks (GitHub Release).

The vulnerability was discovered and reported by Christopher Schneider from State Farm, who was publicly acknowledged for their contribution to identifying this security issue (GitHub Advisory).