CVE-2021-34371

CRITICAL

Neo4j < 3.4.18 - Insecure Deserialization

Title source: rule

Description

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Exploits (4)

exploitdb WORKING POC

by Christopher Ellis · javaremotejava

https://www.exploit-db.com/exploits/50170

View Code ZIP pw:eip

nomisec WORKING POC 32 stars

by zwjjustdoit · poc

https://github.com/zwjjustdoit/CVE-2021-34371.jar

View Code ZIP pw:eip

github SUSPICIOUS

by Andyyyyuan · pythonpoc

https://github.com/Andyyyyuan/CVE-Poc/tree/main/CVE-2021-34371

View Code ZIP pw:eip

nomisec WORKING POC

by tavgar · poc

https://github.com/tavgar/CVE-2021-34371

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/50170

Scores

CVSS v3 9.8

EPSS 0.6492

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

neo4j/neo4j < 3.4.18

org.neo4j/neo4j 0 - 3.5.0Maven

Published Aug 05, 2021

Tracked Since Feb 18, 2026