Login Sign Up

CVE-2021-34802

8.8 HIGH

📋 TL;DR

This vulnerability in Neo4j Graph Database allows authenticated users to execute commands with elevated privileges due to a failure in resetting security contexts during certain transaction actions. It affects Neo4j versions 4.2 and 4.3, requiring user authentication but not administrative access initially.

💻 Affected Systems

Products:
  • Neo4j Graph Database
Versions: 4.2.x and 4.3.x
Operating Systems: All platforms running Neo4j
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; affects both Community and Enterprise editions

📦 What is this software?

Graph Databse by Neo4j

View all CVEs affecting Graph Databse →

Graph Databse by Neo4j

View all CVEs affecting Graph Databse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated users gain full administrative privileges, enabling data theft, data manipulation, or complete system compromise.

🟠

Likely Case

Privilege escalation allowing unauthorized access to sensitive data or database manipulation beyond user's normal permissions.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal user privileges, and monitoring of unusual privilege escalation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated user access and knowledge of specific transaction actions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.11 and 4.3.6

Vendor Advisory: https://neo4j.com/developer/kb/neo4j-4-2-x-sec-vuln-fix/

Restart Required: Yes

Instructions:

1. Backup your database. 2. Download and install Neo4j 4.2.11 or 4.3.6 from official Neo4j website. 3. Stop Neo4j service. 4. Apply the update. 5. Restart Neo4j service. 6. Verify version with 'neo4j version' command.

🔧 Temporary Workarounds

Restrict User Privileges

all

Minimize user permissions to reduce impact if exploited

Use Neo4j's RBAC system to assign minimal necessary privileges to all users

Network Segmentation

all

Limit access to Neo4j instances

Configure firewall rules to restrict Neo4j port (default 7474, 7687) access to authorized IPs only

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach Neo4j instances
  • Apply principle of least privilege to all database users and monitor for unusual privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Neo4j version: if running 4.2.0-4.2.10 or 4.3.0-4.3.5, system is vulnerable

Check Version:

neo4j version

Verify Fix Applied:

Run 'neo4j version' command and verify version is 4.2.11+ or 4.3.6+

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation patterns
  • Multiple failed authentication attempts followed by successful privileged actions
  • Transactions showing unexpected security context changes

Network Indicators:

  • Unusual query patterns from non-admin users
  • Multiple transaction rollbacks/resets from single user sessions

SIEM Query:

source="neo4j.log" AND ("security context" OR "privilege escalation" OR "unauthorized access")

📊 Metadata

CVE ID: CVE-2021-34802
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: July 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34802, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)