CVE-2025-54469— NeuVector 操作系统命令注入漏洞

NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow

A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active. The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization. This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

NeuVector 操作系统命令注入漏洞

NeuVector是美国NeuVector公司的一套端到端的容器安全平台。该平台包括图像漏洞管理、准入控制和容器进程/文件系统保护等功能。 NeuVector存在操作系统命令注入漏洞，该漏洞源于enforcer容器使用环境变量CLUSTER_RPC_PORT和CLUSTER_LAN_PORT生成通过popen执行的命令时未清理其值，可能导致命令注入攻击。

N/A

N/A