Security Advisories and CVEs
NeuVector is committed to informing the community of security issues. Below is a CVE reference list of published security advisories and CVEs (Common Vulnerabilities and Exposures) for issues we have resolved.
CVE List
ID | Description | Date | Release |
---|---|---|---|
For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. |
25 Aug 2025 |
||
NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. |
25 Aug 2025 |
||
By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact. |
25 Aug 2025 |
Sensitive Information Exposure in NeuVector Manager Container Logs
CVE ID: CVE-2025-46808 CVSS Score: 6.8 — AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CWE: CWE-532: Insertion of Sensitive Information into Log File
Affected Versions
-
All versions earlier than
5.0.0
-
Versions from
5.0.0
up to and including5.4.4
Fixed version: 5.4.5
Impact
A vulnerability has been identified in NeuVector versions up to and including 5.4.4
, where sensitive information is leaked into the manager container’s log. The following fields may be exposed:
Field | Field Description | Where it Appears | Reproduction | Environment |
---|---|---|---|---|
|
Rancher’s session token for single sign-on |
Request header |
Log in via Rancher UI and access NeuVector SSO |
Rancher with NeuVector SSO |
|
GitHub / Azure DevOps token |
Request body |
Submit remote repository config under Configuration > Settings |
NeuVector |
|
NeuVector user’s session token |
Response body |
GET request to |
NeuVector |
|
Rekor public key, Root certificate, SCT public key in private root of trust |
Request body |
Create/update private root of trust in Sigstore page |
NeuVector |
|
Verifier’s public key |
Request body |
Create/update verifier in Sigstore page |
NeuVector |
NeuVector installations that do not use Rancher SSO or Remote Repository Configuration are not affected by this issue. |
In the patched version, the X-R-Sess
value is partially masked for safety. Other fields such as personal_access_token
, token
, rekor_public_key
, root_cert
, sct_public_key
, and public_key
are no longer logged, as request body logging was removed.
See also: MITRE Technique T1552: Unsecured Credentials. |
Questions and Support
-
Contact the SUSE Rancher Security team.
-
Open an issue in the NeuVector GitHub repository.
-
References: