Suse Neuvector vulnerabilities

CVE-2025-66001 [HIGH] CWE-295 CVE-2025-66001: NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.

CVE-2025-54469 [CRITICAL] CWE-78 CVE-2025-54469: A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_R A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks wh

CVE-2025-54470 [HIGH] CWE-295 CVE-2025-54470: This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. A

CVE-2025-54471 [MEDIUM] CWE-321 CVE-2025-54471: NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.

CVE-2025-8077 [CRITICAL] CWE-1393 CVE-2025-8077: A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This tok

CVE-2025-54467 [MEDIUM] CWE-522 CVE-2025-54467: When a Java command with password parameters is executed and terminated by NeuVector for Process rul When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.

CVE-2025-53884 [MEDIUM] CWE-759 CVE-2025-53884: NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerabl NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

CVE-2023-32188 [CRITICAL] CWE-1270 CVE-2023-32188: A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and AP A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.

CVE-2023-22644 [CRITICAL] CWE-1270 CVE-2023-22644: A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and AP A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.