x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-8pxw-9c75-6w56 #3918
Description
Advisory GHSA-8pxw-9c75-6w56 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/neuvector/neuvector |
Description:
Impact
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.
In earlier versions, NeuVector supports setting the default (bootstrap) password for the admin account using a Kubernetes Secret named neuvector-bootstrap-secret. T...
References:
- ADVISORY: GHSA-8pxw-9c75-6w56
- ADVISORY: GHSA-8pxw-9c75-6w56
Cross references:
- github.com/neuvector/neuvector appears in 2 other report(s):
- data/excluded/GO-2023-2103.yaml (x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-622h-h2p8-743x #2103) EFFECTIVELY_PRIVATE
- data/reports/GO-2024-3201.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22644 #3201)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/neuvector/neuvector
non_go_versions:
- introduced: 5.0.0
- fixed: 5.4.6
vulnerable_at: 0.0.0-20250825182344-addc9308b3a6
summary: NeuVector admin account has insecure default password in github.com/neuvector/neuvector
cves:
- CVE-2025-8077
ghsas:
- GHSA-8pxw-9c75-6w56
references:
- advisory: https://github.com/advisories/GHSA-8pxw-9c75-6w56
- advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56
source:
id: GHSA-8pxw-9c75-6w56
created: 2025-08-28T14:01:36.578234668Z
review_status: UNREVIEWED