{

"schema_version": "1.4.0",

"id": "GHSA-4jj9-cgqc-x9h5",

"modified": "2025-12-12T19:22:04Z",

"published": "2025-12-12T19:22:04Z",

"aliases": [

"CVE-2025-66001"

],

"summary": "NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)",

"details": "### Impact\n\nNeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.\nStarting from version 5.4.0, NeuVector supports TLS verification for following connection types:\n\n- Registry Connections\n- Auth Server Connections (SAML, LDAP and OIDC)\n- Webhook Connections\n\nBy default, TLS verification remains disabled, and its configuration is located under **Settings > Configuration in the NeuVector UI**.\n\nIn the patched version, the new NeuVector deployment enables TLS verification by default. \nFor rolling upgrades, NeuVector does not automatically change this setting to prevent disruptions.\n\n**Note:** When \"TLS verification\" is enabled, it affects all connections to:\n\n- Registry servers\n- Auth servers (SAML, LDAP and OIDC)\n- Webhook servers\n\n### Patches\n\nPatched versions include release v5.4.8 and above.\n\n### Workarounds\n\nTo manually enable TLS verification:\n\n1. Open the NeuVector UI.\n2. Navigate to **Settings > Configuration**.\n3. In the **TLS Self-Signed Certificate Configuration** section, select **Enable TLS verification**.\n4. (Optional) Upload or paste the **TLS self-signed certificate**.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",

"severity": [

{

"type": "CVSS_V3",

"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"

}

],

"affected": [

{

"package": {

"ecosystem": "Go",

"name": "github.com/neuvector/neuvector"

},

"ranges": [

{

"type": "ECOSYSTEM",

"events": [

{

"introduced": "5.3.0"

},

{

"fixed": "5.4.8"

}

]

}

]

}

],

"references": [

{

"type": "WEB",

"url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5"

},

{

"type": "WEB",

"url": "https://github.com/neuvector/neuvector/commit/955904b5762f296d209bf395a5fcc7a40a53c424"

},

{

"type": "PACKAGE",

"url": "https://github.com/neuvector/neuvector"

}

],

"database_specific": {

"cwe_ids": [

"CWE-295"

],

"severity": "HIGH",

"github_reviewed": true,

"github_reviewed_at": "2025-12-12T19:22:04Z",

"nvd_published_at": null

}

}

{

"schema_version": "1.4.0",

"id": "GHSA-749j-2hp6-8cxm",

"modified": "2025-12-12T19:23:11Z",

"published": "2025-12-12T15:30:42Z",

"aliases": [

"CVE-2025-54981"

],

"summary": "Apache StreamPark uses a Weak Encryption Algorithm",

"details": "Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue.",

"severity": [

{

"type": "CVSS_V4",

"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

}

],

"affected": [

{

"package": {

"ecosystem": "Maven",

"name": "org.apache.streampark:streampark"

},

"ranges": [

{

"type": "ECOSYSTEM",

"events": [

{

"introduced": "2.0.0"

},

{

"fixed": "2.1.7"

}

]

}

]

}

],

"references": [

{

"type": "ADVISORY",

"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54981"

},

{

"type": "WEB",

"url": "https://github.com/apache/streampark/commit/39034db0c806168afa82e58e4f376e1e3c3b73e4"

},

{

"type": "PACKAGE",

"url": "https://github.com/apache/streampark"

},

{

"type": "WEB",

"url": "https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998"

}

],

"database_specific": {

"cwe_ids": [

"CWE-327"

],

"severity": "HIGH",

"github_reviewed": true,

"github_reviewed_at": "2025-12-12T19:23:11Z",

"nvd_published_at": "2025-12-12T15:15:53Z"

}

}

"modified": "2025-12-12T19:22:52Z",

"summary": "Apache StreamPark has a hard-coded encryption key",

"severity": [

{

"type": "CVSS_V4",

"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

}

],

"affected": [

{

"package": {

"ecosystem": "Maven",

"name": "org.apache.streampark:streampark"

},

"ranges": [

{

"type": "ECOSYSTEM",

"events": [

{

"introduced": "2.0.0"

},

{

"fixed": "2.1.7"

}

]

}

]

}

],

{

"type": "WEB",

"url": "https://github.com/apache/streampark/commit/39034db0c806168afa82e58e4f376e1e3c3b73e4"

},

{

"type": "PACKAGE",

"url": "https://github.com/apache/streampark"

},

"severity": "HIGH",

"github_reviewed": true,

"github_reviewed_at": "2025-12-12T19:22:52Z",