ghsa-4jj9-cgqc-x9h5
Vulnerability from github
Published
2025-12-12 19:22
Modified
2025-12-12 19:22
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)
Details

Impact

NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. Starting from version 5.4.0, NeuVector supports TLS verification for following connection types:

  • Registry Connections
  • Auth Server Connections (SAML, LDAP and OIDC)
  • Webhook Connections

By default, TLS verification remains disabled, and its configuration is located under Settings > Configuration in the NeuVector UI.

In the patched version, the new NeuVector deployment enables TLS verification by default. For rolling upgrades, NeuVector does not automatically change this setting to prevent disruptions.

Note: When "TLS verification" is enabled, it affects all connections to:

  • Registry servers
  • Auth servers (SAML, LDAP and OIDC)
  • Webhook servers

Patches

Patched versions include release v5.4.8 and above.

Workarounds

To manually enable TLS verification:

  1. Open the NeuVector UI.
  2. Navigate to Settings > Configuration.
  3. In the TLS Self-Signed Certificate Configuration section, select Enable TLS verification.
  4. (Optional) Upload or paste the TLS self-signed certificate.

References

If you have any questions or comments about this advisory:

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/neuvector/neuvector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-12T19:22:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nNeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server\u0027s authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.\nStarting from version 5.4.0, NeuVector supports TLS verification for following connection types:\n\n- Registry Connections\n- Auth Server Connections (SAML, LDAP and OIDC)\n- Webhook Connections\n\nBy default, TLS verification remains disabled, and its configuration is located under **Settings \u003e Configuration in the NeuVector UI**.\n\nIn the patched version, the new NeuVector deployment enables TLS verification by default. \nFor rolling upgrades, NeuVector does not automatically change this setting to prevent disruptions.\n\n**Note:** When \"TLS verification\" is enabled, it affects all connections to:\n\n- Registry servers\n- Auth servers (SAML, LDAP and OIDC)\n- Webhook servers\n\n### Patches\n\nPatched versions include release v5.4.8 and above.\n\n### Workarounds\n\nTo manually enable TLS verification:\n\n1. Open the NeuVector UI.\n2. Navigate to **Settings \u003e Configuration**.\n3. In the **TLS Self-Signed Certificate Configuration** section, select **Enable TLS verification**.\n4. (Optional) Upload or paste the **TLS self-signed certificate**.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
  "id": "GHSA-4jj9-cgqc-x9h5",
  "modified": "2025-12-12T19:22:04Z",
  "published": "2025-12-12T19:22:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neuvector/neuvector/commit/955904b5762f296d209bf395a5fcc7a40a53c424"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/neuvector/neuvector"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.