CVE-2018-1000820
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in neo4j-contrib's APOC procedures library for Neo4j. Attackers can exploit this to read sensitive files, cause denial of service, perform SSRF attacks, or scan internal network ports. Any system running vulnerable versions of neo4j-apoc-procedures is affected.
💻 Affected Systems
- neo4j-contrib neo4j-apoc-procedures
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including data exfiltration, remote code execution via SSRF chaining, and persistent backdoor installation.
Likely Case
Sensitive file disclosure (configuration files, credentials), denial of service through resource exhaustion, and internal network reconnaissance.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and XML parsing restrictions.
🎯 Exploit Status
Exploitation requires access to execute APOC procedures that parse XML. Public proof-of-concept demonstrates file disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 45bc09c
Vendor Advisory: https://github.com/neo4j-contrib/neo4j-apoc-procedures/issues/931
Restart Required: Yes
Instructions:
1. Update neo4j-apoc-procedures to version after commit 45bc09c. 2. Restart Neo4j server. 3. Verify the fix by checking the commit hash or version.
🔧 Temporary Workarounds
Disable XML parsing in APOC
allDisable or restrict APOC procedures that parse XML if not needed
Configure Neo4j to disable apoc.import.xml procedures
Implement XML parsing restrictions
allConfigure XML parser to disable external entity processing
Set system property: -Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl with FEATURE_SECURE_PROCESSING enabled
🧯 If You Can't Patch
- Network segmentation: Isolate Neo4j instances from sensitive systems and the internet
- Implement strict input validation and sanitization for all XML inputs to APOC procedures
🔍 How to Verify
Check if Vulnerable:
Check APOC procedures version: CALL apoc.version() and verify if before commit 45bc09cCheck Version:
CALL apoc.version()Verify Fix Applied:
Confirm APOC version is after commit 45bc09c and test XML parsing with secure processing enabled📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via XML parsing
- Large XML payloads causing resource exhaustion
- Multiple failed XML parsing attempts
Network Indicators:
- Outbound connections from Neo4j to internal systems not typically accessed
- Port scanning patterns originating from Neo4j server
SIEM Query:
source="neo4j.log" AND ("XML" OR "XXE" OR "external entity")