Описание
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files.
The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access.
We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.
A flaw was found in Neo4j. The obfuscate_literals option in the query logs fails to extend redaction to error messages. When a query triggers an error, unredacted data, potentially containing sensitive literals, are exposed in the logs. This issue allows an attacker with access to the local log files to obtain sensitive information they are not authorized to view, resulting in an information leak.
Отчет
To exploit this issue, an attacker must have access to the local log files. Permission to run queries facilitates exploitation but access is essential to view exposed data. Due to this reason, this vulnerability has been rated with a moderate severity.
Меры по смягчению последствий
To mitigate this issue, restrict log file access at the operating system level. Ensure that access to the disk location where query.log (and other logs) are stored is strictly limited to authorized system administrators.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 4 | camel-neo4j | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | neo4j-bolt-connection | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | neo4j-bolt-connection-netty | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | neo4j-bolt-connection-pooled | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | neo4j-bolt-connection-routed | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | neo4j-java-driver | Fix deferred | ||
| Red Hat Fuse 7 | neo4j-ogm-core | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | neo4j | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | neo4j | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-model-registry-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable
Neo4j Enterprise and Community editions versions prior to 2026.01.3 an ...
Neo4j Enterprise and Community vulnerable to a potential information disclosure
EPSS
5.5 Medium
CVSS3