NornicDB Improper Network Binding in Bolt Server Allows Unauthorized Remote Access

A vulnerability in NornicDB's Bolt server configuration prior to version 1.0.42-hotfix allows unauthorized remote access to the database. The issue arises because the Bolt server always binds to the wildcard address, exposing the database with default admin credentials to any device on the same local network. This vulnerability is present in versions through 1.0.39.

Impact

Exploitation of this vulnerability allows unauthorized access to the NornicDB Bolt server, where an attacker can execute arbitrary Cypher queries, including reading, writing, and deleting nodes in the database.

Reproduction

To reproduce this vulnerability, start NornicDB with the '--address' CLI flag set to '127.0.0.1' and the Bolt server port specified. The output will incorrectly indicate that the Bolt server is bound to localhost, while it is actually listening on all interfaces. This can be verified with network tools that show open ports.

Remediation

Users can update to NornicDB version 1.0.42-hotfix, which addresses the vulnerability by allowing the Bolt server to bind to the correct address as configured by the user.