Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 4164cd32b70d · 2025-10-21T20:26:56.000Z
GHSA-c8g6-qrwh-m3vp GHSA-h773-7gf7-9m2x GHSA-qqj3-g7mx-5p4w
diff --git a/advisories/github-reviewed/2025/10/GHSA-c8g6-qrwh-m3vp/GHSA-c8g6-qrwh-m3vp.json b/advisories/github-reviewed/2025/10/GHSA-c8g6-qrwh-m3vp/GHSA-c8g6-qrwh-m3vp.json
@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c8g6-qrwh-m3vp",
+  "modified": "2025-10-21T20:25:11Z",
+  "published": "2025-10-21T20:25:11Z",
+  "aliases": [
+    "CVE-2025-54469"
+  ],
+  "summary": "NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow",
+  "details": "### Impact\nA vulnerability was identified in NeuVector, where the enforcer used environment variables `CLUSTER_RPC_PORT` and `CLUSTER_LAN_PORT` to generate a command to be executed via `popen`, without first sanitising their values.\n\nThe entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the `popen` function to execute a shell command that determines whether the ports used by the consul subprocess are still active.\n\nThe values of environment variables `CLUSTER_RPC_PORT` and `CLUSTER_LAN_PORT` are used directly to compose shell commands via popen without validation or sanitization.  This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container.\n\nIn the patched version, the monitor process validates the values of `CLUSTER_RPC_PORT` and `CLUSTER_LAN_PORT` to ensure they contain only valid port numbers before invoking the `popen` command.\n\nIf validation fails, the monitor process exits immediately, causing the enforcer container to terminate. This prevents the execution of any injected or malicious commands.\n\n\n### Patches\nPatched versions include release `v5.4.7` and above.\n\n### Workarounds\nThere is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.3.0"
+            },
+            {
+              "fixed": "5.3.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.4.0"
+            },
+            {
+              "fixed": "5.4.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.4.6"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.0.0-20230727023453-1c4957d53911"
+            },
+            {
+              "fixed": "0.0.0-20251020133207-084a437033b4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-c8g6-qrwh-m3vp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/neuvector/neuvector"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120",
+      "CWE-77"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T20:25:11Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-h773-7gf7-9m2x/GHSA-h773-7gf7-9m2x.json b/advisories/github-reviewed/2025/10/GHSA-h773-7gf7-9m2x/GHSA-h773-7gf7-9m2x.json
@@ -0,0 +1,83 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h773-7gf7-9m2x",
+  "modified": "2025-10-21T20:26:25Z",
+  "published": "2025-10-21T20:26:25Z",
+  "aliases": [
+    "CVE-2025-54471"
+  ],
+  "summary": "NeuVector is shipping cryptographic material into its binary",
+  "details": "### Impact\nNeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations  when NeuVector stores the data.\n\nIn the patched version, NeuVector leverages the Kubernetes secret `neuvector-store-secret` in `neuvector` namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.\n\nDuring rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.\n\nIf the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log : \n`Required Kubernetes RBAC for secrets are not found` and exits.\n\nThe device encryption key is rotated every 3 months. For details, please refer to this [Rotating Self-Signed Certificate](https://open-docs.neuvector.com/configuration/console/certrotate) documentation.\n\n### Patches\nPatched versions include release **v5.4.7** and above.\n\n### Workarounds\nThere is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.3.0"
+            },
+            {
+              "fixed": "5.4.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.4.6"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.0.0-20230727023453-1c4957d53911"
+            },
+            {
+              "fixed": "0.0.0-20251020133207-084a437033b4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/commit/084a437033b491eeea11bdba1a09dd84ed12ea88"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/neuvector/neuvector"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-321"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T20:26:25Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-qqj3-g7mx-5p4w/GHSA-qqj3-g7mx-5p4w.json b/advisories/github-reviewed/2025/10/GHSA-qqj3-g7mx-5p4w/GHSA-qqj3-g7mx-5p4w.json
@@ -0,0 +1,107 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qqj3-g7mx-5p4w",
+  "modified": "2025-10-21T20:25:21Z",
+  "published": "2025-10-21T20:25:21Z",
+  "aliases": [
+    "CVE-2025-54470"
+  ],
+  "summary": "NeuVector telemetry sender is vulnerable to MITM and DoS",
+  "details": "### Impact\nThis vulnerability affects NeuVector deployments only when the `Report anonymous cluster data option` is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at `https://upgrades.neuvector-upgrade-responder.livestock.rancher.io`.\n\nIn affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes  it vulnerable to a Denial of Service(DoS) attack. \n\nThe patched version includes the following security improvements:\n- NeuVector now verifies the telemetry server’s `TLS certificate chain` and `hostname` during the handshake process. This ensures that all telemetry communications occur over a trusted and verified channel.\n- NeuVector limits the telemetry server’s response to `256 bytes`, mitigating the risk of memory exhaustion and DoS attacks.\n\nThese security enhancements are enabled by default and require no user action.\n\n\n### Patches\nPatched versions include release **v5.4.7** and above.\n\n### Workarounds\nIf you cannot update to a patched version, you can temporarily disable the Report anonymous cluster data, which is enabled by default in NeuVector.\nTo change this setting, go to **Settings** → **Configuration** → **Report anonymous cluster data** in the NeuVector UI.\n\nDisabling this option prevents NeuVector from sending telemetry data to the telemetry server, which helps mitigate this vulnerability.\n\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "https://github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.3.0"
+            },
+            {
+              "fixed": "5.3.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "https://github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.4.0"
+            },
+            {
+              "fixed": "5.4.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.4.6"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "https://github.com/neuvector/neuvector"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.0.0-20230727023453-1c4957d53911"
+            },
+            {
+              "fixed": "0.0.0-20251020133207-084a437033b4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/commit/06424701e69bf1eb76ff90180d78853fded93021"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/commit/415737cbec581a5dc5f204fac1c78b7f29ad7dc2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/neuvector/neuvector"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295",
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T20:25:21Z",
+    "nvd_published_at": null
+  }
+}
