CVE-2018-1000820 — CRITICAL (10.0)

Vulnerability Description

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.

CVSS Score

10.0

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Neo4J	Awesome Procedures On Cyper	All versions

Related Weaknesses (CWE)

CWE-611

References

https://0dd.zone/2018/10/27/neo4f-apoc-procedures-XXE/Third Party Advisory
https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931Issue TrackingPatchThird Party Advisory
https://0dd.zone/2018/10/27/neo4f-apoc-procedures-XXE/Third Party Advisory
https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931Issue TrackingPatchThird Party Advisory

FAQ

What is CVE-2018-1000820?

CVE-2018-1000820 is a vulnerability with a CVSS score of 10.0 (CRITICAL). neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service...

How severe is CVE-2018-1000820?

CVE-2018-1000820 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-1000820?

Check the references section above for vendor advisories and patch information. Affected products include: Neo4J Awesome Procedures On Cyper.