CVE-2018-18389 — Incorrect access control in Neo4j Enterprise Database Server via LDAP authentica

Description

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password.

How to fix CVE-2018-18389

To remediate CVE-2018-18389, upgrade the affected package to a fixed version below.

—upgrade to 3.4.9 or later

Is CVE-2018-18389 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.4.0, < 3.4.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-h5f5-rj4r-42f6
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-18389
PATCHgithub.com/neo4j/neo4j
WEBgithub.com/neo4j/neo4j/commit/46de5d01ae2741ffe04c36270fc62c6d490f65c9
WEB