Description

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Remediation

References

https://www.exploit-db.com/exploits/50170

Related Vulnerabilities

CVE-2022-24279 Vulnerability in npm package madlib-object-utils

CVE-2020-2186 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2021-44585 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core

CVE-2018-25083 Vulnerability in npm package pullit

CVE-2019-1010266 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory VDB Entry