Skip to content

Sensitive information is leaked into NeuVector’s manager container logs

Moderate
andypitcher published GHSA-fggw-hv56-8m6r Jul 11, 2025

Package

gomod https://github.com/neuvector/manager (Go)

Affected versions

<5.4.5

Patched versions

5.4.5

Description

Impact

A vulnerability has been identified in the NeuVector version up to and including 5.4.4, where sensitive information is leaked into the manager container’s log. The listed fields can be caught in the log:

Field Field Description Where it Appears Reproduction Environment
X-R-Sess Rancher’s session token for single sign on token Request header Log in via Rancher UI and access NeuVector SSO Rancher with NeuVector SSO
personal_access_token The Github / Azure DevOps token Request body Submit remote repository config under Configuration > Settings NeuVector
token1.token NeuVector user’s session token Response body Send GET request through NeuVector web server’s API: https://<neuvector ui’s url>/user?name=<username> NeuVector
rekor_public_key, root_cert, sct_public_key Rekor public key, Root certificate, Signed certificate timestamp(SCT) Public Key in private root of trust Request body Create/update private root of trust from Sigstore page NeuVector
public_key Verifier’s public key Request body Create/update verifier in Sigstore page NeuVector

Note:

  • In the patched version, X-R-Sess is partially masked so that users can confirm what it is being used while still keeping it safe for consumption. The log which includes personal_access_token, token, rekor_public_key, root_cert, sct_public_key, public key are removed, as the request body is not mandatory in the log.

  • The exploitability of the vulnerability depends on your logging strategy.

    • Local logging (default): Limits exposure of impact.
    • External logging: Vulnerability’s severity increases, the impact depends on security measures implemented at the external log collector level.

Please consult the associated Unsecured credentials for further information about this category of attack.

Patches

Patched versions include release 5.4.5 and above. Users are advised to rotate the GitHub token used in Remote Repository Configuration once they have upgraded to a fixed version.

Workarounds

No workarounds are currently available. Customers are advised to upgrade to a fixed version at their earliest convenience.

References

If you have any questions or comments about this advisory:

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2025-46808

Weaknesses

Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file. Learn more on MITRE.