Skip to main content

Improper Restriction of XML External Entity Reference

CVE-2023-23926

Severity High
Score 8.1/10

Summary

APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. This vulnerability affects org.neo4j.procedure:apoc-core versions through 5.4.1 and org.neo4j.procedure:apoc through 4.4.0.13. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-611 - Improper Restriction of XML External Entity Reference

Listed 4th in the 'OWASP Top Ten', XML External Entities (XXE) vulnerability allows attackers to provide an XML input that contains an external entity. When the XML is parsed, it can cause data extraction and manipulation, execution of commands, denial-of-service attacks, and server-side request forgery.

Advisory Timeline

  • Published