Flowsint Cypher Query Injection Vulnerability Allowing Arbitrary Query Execution

A cypher query injection vulnerability has been identified in Flowsint versions prior to 1.2.3. This vulnerability allows remote attackers to create nodes with malicious types that escape existing Cypher query contexts, enabling the execution of arbitrary Cypher queries. The issue arises in the node creation process, where injected types can manipulate the query sent to the Neo4j database.

Impact

Exploitation of this vulnerability allows for unauthorized execution of Cypher queries, which can be used to exfiltrate all graph data from the Neo4j database used by Flowsint. This includes data from all sketches and investigations, effectively allowing an attacker to reconstruct every sketch for every investigation.

Reproduction

To reproduce this vulnerability, register a new user and obtain an access token. Then, create an investigation and a sketch within that investigation. Afterward, send a request to the 'add node' endpoint of the sketch, including a payload that specifies a malicious type designed to escape the default query context. Once the node is created, the injected query can be executed and verified by checking the response for expected data.

Remediation

Users are advised to update Flowsint to version 1.2.3 or later, where this vulnerability has been fixed.