CVE-2025-54469
BaseFortify
Publication date: 2025-10-30
Last updated on: 2025-10-30
Assigner: SUSE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neuvector | enforcer | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in NeuVector involves the enforcer component using environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to build shell commands executed via popen without sanitizing these variables. Because these environment variables are used directly, a malicious user could inject harmful commands through them within the enforcer container, potentially leading to command injection attacks.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with access to the enforcer container environment variables to execute arbitrary commands on the system. This can lead to full compromise of the container, including unauthorized access, data manipulation, service disruption, or further attacks on the host or network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are properly sanitized and validated before being used to compose shell commands. Avoid using unsanitized environment variables directly in popen calls. Additionally, restrict access to the enforcer container to trusted users only to prevent malicious injection through these variables.