Neo4J Server Cross Site Request Forgery

Hi,

Last August, Dinis Cruz wrote a blog entry [1] detailing a CSRF attack
on a Neo4J Server resulting in an RCE. The server's documentation [2]
mentions the following.

"By default, the Neo4j Server comes with some places where arbitrary
code code execution can happen. These are the Section 19.15,
&#8220;Traversals&#8221; REST endpoints. To secure these, either disable them
completely by removing offending plugins from the server class-path, or
secure access to these URLs through proxies or Authorization Rules."

This could mean that the RCE itself is not CVE worthy as it is a
documented/expected behavior. However, should the CSRF flaw be
considered a vulnerability and assigned a CVE?

Regards,
Arun

[1]
http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html
[2]
http://docs.neo4j.org/chunked/stable/security-server.html#_arbitrary_code_execution

-- 
Arun Neelicattu / Red Hat Security Response Team 
PGP: 0xC244393B 5229 F596 474F 00A1 E416  CF8B 36F5 5054 C244 393B