diff --git a/advisories/github-reviewed/2026/02/GHSA-xr72-g735-4vwp/GHSA-xr72-g735-4vwp.json b/advisories/github-reviewed/2026/02/GHSA-xr72-g735-4vwp/GHSA-xr72-g735-4vwp.json index 2817cc7b1df85..e752f995becc0 100644 --- a/advisories/github-reviewed/2026/02/GHSA-xr72-g735-4vwp/GHSA-xr72-g735-4vwp.json +++ b/advisories/github-reviewed/2026/02/GHSA-xr72-g735-4vwp/GHSA-xr72-g735-4vwp.json @@ -1,19 +1,14 @@ { "schema_version": "1.4.0", "id": "GHSA-xr72-g735-4vwp", - "modified": "2026-02-06T19:41:15Z", + "modified": "2026-02-06T19:41:16Z", "published": "2026-02-06T15:31:03Z", "aliases": [ "CVE-2026-1337" ], - "summary": "Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log", - "details": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337", - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" - } - ], + "summary": "Xss Vulnerability - Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log", + "details": "# Vulnerability in Neo4j Enterprise and Community Editions (CVE-2026-1337)\n\nNeo4j Enterprise and Community editions prior to 2026.01 are vulnerable to insufficient escaping of Unicode characters in the query log, which can lead to Cross-Site Scripting (XSS) if the logs are opened in a tool that interprets them as HTML. There is no direct security impact on Neo4j products themselves, but this advisory is issued as a precaution to treat the logs as plain text when using versions prior to 2026.01.\n\n## Details\n\nThe vulnerability arises from improper handling of control characters (e.g., newlines) in the metadata field of Bolt transactions when Neo4j is not configured to use JSON-formatted logging. An authenticated user can inject arbitrary log entries, potentially spoofing queries or introducing malicious content.\n\n- **Vulnerability Type**: CWE-117 (Improper Output Neutralization for Logs) / CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS)\n- **Root Cause**: Failure to escape control characters like `\\n` in query log entries, allowing log injection when logging is in plain text format.\n- **Execution Flow**:\n 1. An authenticated attacker connects to the Neo4j Bolt port (default: 7687).\n 2. They initiate a transaction with malicious metadata containing newlines and crafted log lines.\n 3. The unescaped metadata is written to `query.log`, injecting fake entries.\n 4. If logs are viewed in a web-based tool or terminal, it could lead to XSS or terminal manipulation via ANSI escapes.\n\n## Proof of Concept (PoC)\n\nThe vulnerability can be demonstrated using a Python script with the Neo4j driver. A proof-of-concept is available at: https://github.com/JoakimBulow/CVE-2026-1337\n\n**Steps to Reproduce:**\n1. Set up a Neo4j instance prior to 2026.01 with plain text logging (not JSON).\n2. Install the Neo4j Python driver: `pip install neo4j`.\n3. Run the following script (adapted from the PoC):\n\n```python\nfrom neo4j import GraphDatabase\n\nuri = \"bolt://127.0.0.1:7687\"\nusername = \"neo4j\"\npassword = \"your_password\"\n\npayload = \"\\n2025-12-05 13:08:34.148+0000 INFO Query started: id:700 - MATCH (n:FakeQuery1) RETURN n LIMIT 1\\n2025-12-05 13:08:34.148+0000 INFO Query started: id:701 - MATCH (n:FakeQuery2) RETURN n LIMIT 1\"\n\ndriver = GraphDatabase.driver(uri, auth=(username, password))\n\nwith driver.session() as session:\n tx = session.begin_transaction(metadata={\"x\": payload})\n tx.run(\"RETURN 1\")\n tx.commit()\n\ndriver.close()", + "severity": [], "affected": [ { "package": {