Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://www.exploit-db.com/exploits/50170 |
![]() ![]() |
History
No history.

Status: PUBLISHED
Assigner: mitre
Published: 2021-08-05T19:35:05
Updated: 2024-08-04T00:12:49.674Z
Reserved: 2021-06-09T00:00:00
Link: CVE-2021-34371

No data.

Status : Modified
Published: 2021-08-05T20:15:09.280
Modified: 2024-11-21T06:10:15.297
Link: CVE-2021-34371

No data.