CVE-2025-54471 (GCVE-0-2025-54471)
Vulnerability from cvelistv5
Published
2025-10-30 09:45
Modified
2025-10-30 13:59
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-321 - Use of Hard-coded Cryptographic Key
Summary
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
References
Impacted products
Vendor Product Version
SUSE neuvector Version: 5.3.0   
Version: 0.0.0-20230727023453-1c4957d53911   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54471",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T13:59:48.001541Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-30T13:59:54.426Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "github.com/neuvector/neuvector",
          "product": "neuvector",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "5.4.7",
              "status": "affected",
              "version": "5.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "0.0.0-20251020133207-084a437033b4",
              "status": "affected",
              "version": "0.0.0-20230727023453-1c4957d53911",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-10-21T18:26:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NeuVector used a hard-coded cryptographic key embedded in the source \ncode. At compilation time, the key value was replaced with the secret \nkey value and used to encrypt sensitive configurations  when NeuVector \nstores the data.\u003cbr\u003e"
            }
          ],
          "value": "NeuVector used a hard-coded cryptographic key embedded in the source \ncode. At compilation time, the key value was replaced with the secret \nkey value and used to encrypt sensitive configurations  when NeuVector \nstores the data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321: Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T09:45:56.931Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54471"
        },
        {
          "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "NeuVector is shipping cryptographic material into its binary",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2025-54471",
    "datePublished": "2025-10-30T09:45:56.931Z",
    "dateReserved": "2025-07-23T08:11:16.426Z",
    "dateUpdated": "2025-10-30T13:59:54.426Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54471\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-30T13:59:48.001541Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-30T13:59:51.238Z\"}}], \"cna\": {\"title\": \"NeuVector is shipping cryptographic material into its binary\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SUSE\", \"product\": \"neuvector\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.3.0\", \"lessThan\": \"5.4.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0.0.0-20230727023453-1c4957d53911\", \"lessThan\": \"0.0.0-20251020133207-084a437033b4\", \"versionType\": \"semver\"}], \"packageName\": \"github.com/neuvector/neuvector\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-10-21T18:26:00.000Z\", \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54471\"}, {\"url\": \"https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"NeuVector used a hard-coded cryptographic key embedded in the source \\ncode. At compilation time, the key value was replaced with the secret \\nkey value and used to encrypt sensitive configurations  when NeuVector \\nstores the data.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"NeuVector used a hard-coded cryptographic key embedded in the source \\ncode. At compilation time, the key value was replaced with the secret \\nkey value and used to encrypt sensitive configurations  when NeuVector \\nstores the data.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-321\", \"description\": \"CWE-321: Use of Hard-coded Cryptographic Key\"}]}], \"providerMetadata\": {\"orgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"shortName\": \"suse\", \"dateUpdated\": \"2025-10-30T09:45:56.931Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54471\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-30T13:59:54.426Z\", \"dateReserved\": \"2025-07-23T08:11:16.426Z\", \"assignerOrgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"datePublished\": \"2025-10-30T09:45:56.931Z\", \"assignerShortName\": \"suse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.