Description
Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.
Remediation
References
https://www.exploit-db.com/exploits/50170
Related Vulnerabilities
CVE-2021-32860 Vulnerability in npm package izimodal
CVE-2020-7749 Vulnerability in npm package osm-static-maps
CVE-2021-25329 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2022-3971 Vulnerability in npm package matrix-appservice-irc
CVE-2021-32809 Vulnerability in maven package org.webjars.npm:ckeditor4