Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-42767: Neo4j Graph Data Platform – The Leader in Graph Databases

A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. This is fixed in 3.5.17, 4.2.10, 4.3.0.4, and 4.4.0.1.

CVE
#sql#vulnerability#web#mac#nodejs#js#git#java#intel#php#auth#ruby#gradle#maven

Neo4j Graph Data Platform

Blazing-Fast Graph,
Petabyte Scale

With proven trillion+ entity performance, developers, data scientists, and enterprises rely on Neo4j as the top choice for high-performance, scalable analytics, intelligent app development, and advanced AI/ML pipelines.

The Graph Technology Leader

Uncompromised Performance, Reliability, and Integrity

The creator and leader of the graph database category, Neo4j continues to expand the limits of graph technology, helping empower the largest active community of 220,000 developers, data scientists, and architects who are working to solve the world’s most complex and valuable data problems.

MACHINE LEARNING INNOVATION

Revealing Richer Context to Drive Deeper Insights

Analysts and data scientists can incorporate network structures to infer meaning, increase ML accuracy, and drive contextual AI – making better predictions with the data they already have.

Neo4j is fueled by our vast, production-ready algorithm library and advanced, groundbreaking machine learning workflows not found anywhere else.

Learn about Graph Data Science

Battle-tested for performance

The Most Trusted. The Most Secure. The Most Deployed.

Neo4j is the only enterprise-strength graph database that combines native graph storage, advanced security, scalable speed-optimized architecture, and ACID compliance to ensure predictability and integrity of relationship-based queries. That’s why it’s deployed by hundreds of Fortune 500 companies, government agencies, and NGOs.

NEO4J AS A SERVICE

Neo4j Aura: The Fully
Managed Cloud Service

Neo4j Aura is a fast, scalable, always on and fully automated graph platform, offered as a cloud service. Aura lets you focus on your core innovation rather than spending time managing infrastructure.

Neo4j Aura includes AuraDB, the graph database as a service for developers building intelligent applications and AuraDS, the graph data science as a service for data scientists building predictive models and analytics workflows.

Learn more

Fully automated provisioning, upgrades and backups

Always-on, Secure, Reliable and ACID compliant

Scalable, on-demand without interruption

Simple Consumption-Based pricing

Cypher: The graph Query Language

No More Complex Joins

Cypher is a powerful, intuitive, graph-optimized query language that understands, and takes advantage of, data connections. It’s user-friendly, easy to learn, and follows connections – in any direction – to reveal previously unknown relationships and clusters.

When trying to find patterns or insights within data, Cypher queries are much simpler and easier to write than massive SQL joins. Since Neo4j doesn’t have tables, there are no joins to worry about. Compare the Cypher query at the left with its equivalent in SQL.

Learn more about Cypher

Cypher

MATCH (p:Product)-[:CATEGORY]->(l:ProductCategory)-[:PARENT*0..]->(:ProductCategory {name:"Dairy Products"})
RETURN p.name

SQL

SELECT p.ProductName
FROM Product AS p
JOIN ProductCategory pc ON (p.CategoryID = pc.CategoryID AND pc.CategoryName = "Dairy Products")

JOIN ProductCategory pc1 ON (p.CategoryID = pc1.CategoryID)
JOIN ProductCategory pc2 ON (pc1.ParentID = pc2.CategoryID AND pc2.CategoryName = "Dairy Products")

JOIN ProductCategory pc3 ON (p.CategoryID = pc3.CategoryID)
JOIN ProductCategory pc4 ON (pc3.ParentID = pc4.CategoryID)
JOIN ProductCategory pc5 ON (pc4.ParentID = pc5.CategoryID AND pc5.CategoryName = "Dairy Products");

Use Your Favorite Programming Languages

We aim to make the Neo4j experience fast, natural, and fun for developers. Neo4j supports GraphQL and drivers for .Net, Java, Node.js, Python, and more. Our community of contributors provide many more drivers, including PHP, Ruby, R, Erlang, and Clojure.

Learn more about Drivers

  • NodeJS

  • Python

  • Go

  • .NET

  • Java

    // npm install --save neo4j-driver // node example.js const neo4j = require(“neo4j-driver”); const driver = neo4j.driver("bolt://<HOST>:<BOLTPORT>", neo4j.auth.basic("<USERNAME>", “<PASSWORD>”), { /* encrypted: ‘ENCRYPTION_OFF’ */ });

    const query = MATCH (p:Product)-[:PART_OF]->(:Category)-[:PARENT*0..]-> (:Category {categoryName:$category}) RETURN p.productName as product;

    const params = { category: “Dairy Products” };

    const session = driver.session({ database: “neo4j” });

    session .run(query, params) .then((result) => { result.records.forEach((record) => { console.log(record.get(“product”)); }); session.close(); driver.close(); }) .catch((error) => { console.error(error); });

# pip3 install neo4j-driver
# python3 example.py

from neo4j import GraphDatabase, basic_auth

driver = GraphDatabase.driver(
  "bolt://<HOST>:<BOLTPORT>", 
  auth=basic_auth("<USERNAME>", "<PASSWORD>"))

cypher_query = '''
MATCH (p:Product)-[:PART_OF]->(:Category)-[:PARENT*0..]->
(:Category {categoryName:$category})
RETURN p.productName as product
'''

with driver.session(database="neo4j") as session:
  results = session.read_transaction(
    lambda tx: tx.run(cypher_query,
      category="Dairy Products").data())

  for record in results:
    print(record['product'])

driver.close()

// go mod init main
// go run example.go
package main
import (
    "fmt"
    "github.com/neo4j/neo4j-go-driver/neo4j" //Go 1.8
)
func main() {
    s, err := runQuery("bolt://<HOST>:<BOLTPORT>", "<USERNAME>", "<PASSWORD>")
    if err != nil {
        panic(err)
    }
    fmt.Println(s)
}
func runQuery(uri, username, password string) ([]string, error) {
    configForNeo4j4 := func(conf *neo4j.Config) { conf.Encrypted = false }
    driver, err := neo4j.NewDriver(uri, neo4j.BasicAuth(username, password, ""), configForNeo4j4)
    if err != nil {
        return nil, err
    }
    defer driver.Close()
    sessionConfig := neo4j.SessionConfig{AccessMode: neo4j.AccessModeRead, DatabaseName: "neo4j"}
    session, err := driver.NewSession(sessionConfig)
    if err != nil {
        return nil, err
    }
    defer session.Close()
    results, err := session.ReadTransaction(func(transaction neo4j.Transaction) (interface{}, error) {
        result, err := transaction.Run(
            `
            MATCH (p:Product)-[:PART_OF]->(:Category)-[:PARENT*0..]->
            (:Category {categoryName:$category})
            RETURN p.productName as product
            `, map[string]interface{}{
                "category": "Dairy Products",
            })
        if err != nil {
            return nil, err
        }
        var arr []string
        for result.Next() {
            value, found := result.Record().Get("product")
            if found {
              arr = append(arr, value.(string))
            }
        }
        if err = result.Err(); err != nil {
            return nil, err
        }
        return arr, nil
    })
    if err != nil {
        return nil, err
    }
    return results.([]string), err
}

// install dotnet core on your system
// dotnet new console -o .
// dotnet add package Neo4j.Driver
// paste in this code into Program.cs
// dotnet run

using System;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using Neo4j.Driver;
  
namespace dotnet {
  class Example {
  static async Task Main() {
    var driver = GraphDatabase.Driver("bolt://<HOST>:<BOLTPORT>", 
                    AuthTokens.Basic("<USERNAME>", "<PASSWORD>"));

    var cypherQuery =
      @"
      MATCH (p:Product)-[:PART_OF]->(:Category)-[:PARENT*0..]->
      (:Category {categoryName:$category})
      RETURN p.productName as product
      ";

    var session = driver.AsyncSession(o => o.WithDatabase("neo4j"));
    var result = await session.ReadTransactionAsync(async tx => {
      var r = await tx.RunAsync(cypherQuery, 
              new { category="Dairy Products"});
      return await r.ToListAsync();
    });

    await session?.CloseAsync();
    foreach (var row in result)
      Console.WriteLine(row["product"].As<string>());
      
    }
  }
}

// Add your the driver dependency to your pom.xml build.gradle etc.
// Java Driver Dependency: http://search.maven.org/#artifactdetails|org.neo4j.driver|neo4j-java-driver|4.0.1|jar
// Reactive Streams http://search.maven.org/#artifactdetails|org.reactivestreams|reactive-streams|1.0.3|jar
// download jars into current directory
// java -cp "*" Example.java

import org.neo4j.driver.*;
import static org.neo4j.driver.Values.parameters;

public class Example {

  public static void main(String...args) {

    Driver driver = GraphDatabase.driver("bolt://<HOST>:<BOLTPORT>",
              AuthTokens.basic("<USERNAME>","<PASSWORD>"));

    try (Session session = driver.session(SessionConfig.forDatabase("neo4j"))) {

      String cypherQuery =
        "MATCH (p:Product)-[:PART_OF]->(:Category)-[:PARENT*0..]->" +
        "(:Category {categoryName:$category})" +
        "RETURN p.productName as product";

      var result = session.readTransaction(
        tx -> tx.run(cypherQuery, 
                parameters("category","Dairy Products"))
            .list());

      for (Record record : result) {
        System.out.println(record.get("product").asString());
      }
    }
    driver.close();
  }
}

Helpful Tools for Modern App & Web Development

Neo4j provides an array of tools, libraries, and frameworks to make development faster and easier. Developer tools like Neo4j Desktop, Browser, and Sandbox make it simple to learn and develop graph apps.

The new Neo4j GraphQL Library translates GraphQL queries into Cypher, making it easier for GraphQL users to use Neo4j. It also streamlines integration of Neo4j with React, Vue, and other open source frameworks.

GraphQL Library

For API driven modern applications

Learn More

Neo4j Browser

For accessing your database anywhere

Get Started

Ready to get started with Neo4j?

Get started for free with AuraDB

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907