x/vulndb: potential Go vuln in https://github.com/neuvector/neuvector: GHSA-qqj3-g7mx-5p4w #4044
Description
Advisory GHSA-qqj3-g7mx-5p4w references a vulnerability in the following Go modules:
| Module |
|---|
| https://github.com/neuvector/neuvector |
Description:
Impact
This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io.
In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additio...
References:
- ADVISORY: GHSA-qqj3-g7mx-5p4w
- ADVISORY: GHSA-qqj3-g7mx-5p4w
- FIX: neuvector/neuvector@0642470
- FIX: neuvector/neuvector@415737c
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: https://github.com/neuvector/neuvector
non_go_versions:
- introduced: TODO (earliest fixed "5.4.7", vuln range ">= 5.4.0, <= 5.4.6")
- introduced: 0.0.0-20230727023453-1c4957d53911
- fixed: 0.0.0-20251020133207-084a437033b4
- introduced: 5.3.0
- fixed: 5.3.5
summary: NeuVector telemetry sender is vulnerable to MITM and DoS in https://github.com/neuvector/neuvector
cves:
- CVE-2025-54470
ghsas:
- GHSA-qqj3-g7mx-5p4w
references:
- advisory: https://github.com/advisories/GHSA-qqj3-g7mx-5p4w
- advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w
- fix: https://github.com/neuvector/neuvector/commit/06424701e69bf1eb76ff90180d78853fded93021
- fix: https://github.com/neuvector/neuvector/commit/415737cbec581a5dc5f204fac1c78b7f29ad7dc2
notes:
- fix: 'module merge error: could not merge versions of module https://github.com/neuvector/neuvector: invalid or non-canonical semver version (found TODO (earliest fixed "5.4.7", vuln range ">= 5.4.0, <= 5.4.6"))'
- fix: 'https://github.com/neuvector/neuvector: could not add vulnerable_at: module https://github.com/neuvector/neuvector not known to proxy'
source:
id: GHSA-qqj3-g7mx-5p4w
created: 2025-10-21T21:01:37.718223481Z
review_status: UNREVIEWED