From 1f428e529b98172efa2435eae5ccdcfeb54ed6ba Mon Sep 17 00:00:00 2001
From: hridyesh bisht <kakabisht07@gmail.com>
Date: Wed, 17 Sep 2025 13:35:13 +0530
Subject: [PATCH 1/3] Adding a table ref for CVEs

---
 docs/16.security_advisories/01.security_advisories/cve.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/16.security_advisories/01.security_advisories/cve.md b/docs/16.security_advisories/01.security_advisories/cve.md
index 6b126c31..856928b3 100644
--- a/docs/16.security_advisories/01.security_advisories/cve.md
+++ b/docs/16.security_advisories/01.security_advisories/cve.md
@@ -7,8 +7,12 @@ NeuVector is committed to informing the community of security issues. Below is a
 | ID | Description | Date | Release |
 | :---- | :---- | :---- | :---- |
 | [CVE-2025-8077](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56) | For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
-| [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
 | [CVE-2025-54467](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq) | By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-46808](?) | Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For more information, refer to [ Sensitive information exposure in NeuVector manager container logs](#sensitive-information-exposure-in-neuvector-manager-container-logs) | ? | [NeuVector v5.4.5](https://github.com/neuvector/neuvector/releases/tag/v5.4.5) |
+
+
+| — | . Fixed in 5.4.5. | < 5.0.0 – 5.4.4
 
 ## Sensitive information exposure in NeuVector manager container logs
 

From 68fa31f3e77bad1cc6ec20d05d909c4bb56aef86 Mon Sep 17 00:00:00 2001
From: hridyesh bisht <41201308+kakabisht@users.noreply.github.com>
Date: Sun, 21 Sep 2025 23:42:49 +0530
Subject: [PATCH 2/3] Update
 docs/16.security_advisories/01.security_advisories/cve.md

Co-authored-by: Sunil Singh <sunil.singh@suse.com>
---
 docs/16.security_advisories/01.security_advisories/cve.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/16.security_advisories/01.security_advisories/cve.md b/docs/16.security_advisories/01.security_advisories/cve.md
index 856928b3..3b7a36c3 100644
--- a/docs/16.security_advisories/01.security_advisories/cve.md
+++ b/docs/16.security_advisories/01.security_advisories/cve.md
@@ -4,7 +4,7 @@ NeuVector is committed to informing the community of security issues. Below is a
 
 ## CVE List
 
-| ID | Description | Date | Release |
+| ID | Description | Date | Resolution |
 | :---- | :---- | :---- | :---- |
 | [CVE-2025-8077](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56) | For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
 | [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |

From 86b1cd1adcce5f326a89ab945993a13d92d5060a Mon Sep 17 00:00:00 2001
From: hridyesh bisht <kakabisht07@gmail.com>
Date: Sun, 21 Sep 2025 23:51:31 +0530
Subject: [PATCH 3/3] Making required  fixes

---
 .../01.security_advisories/cve.md                 | 13 +++++++------
 .../01.security_advisories/cve.md                 | 15 ++++++++++-----
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/docs/16.security_advisories/01.security_advisories/cve.md b/docs/16.security_advisories/01.security_advisories/cve.md
index 3b7a36c3..f3fa7c1d 100644
--- a/docs/16.security_advisories/01.security_advisories/cve.md
+++ b/docs/16.security_advisories/01.security_advisories/cve.md
@@ -4,12 +4,12 @@ NeuVector is committed to informing the community of security issues. Below is a
 
 ## CVE List
 
-| ID | Description | Date | Resolution |
+| ID | Description | Date | Release |
 | :---- | :---- | :---- | :---- |
 | [CVE-2025-8077](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56) | For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
 | [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
 | [CVE-2025-54467](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq) | By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
-| [CVE-2025-46808](?) | Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For more information, refer to [ Sensitive information exposure in NeuVector manager container logs](#sensitive-information-exposure-in-neuvector-manager-container-logs) | ? | [NeuVector v5.4.5](https://github.com/neuvector/neuvector/releases/tag/v5.4.5) |
+| CVE-2025-46808 | Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For more information, refer to [ Sensitive information exposure in NeuVector manager container logs](#sensitive-information-exposure-in-neuvector-manager-container-logs) | 09 Jul 2025 | [NeuVector v5.4.5](https://github.com/neuvector/neuvector/releases/tag/v5.4.5) |
 
 
 | — | . Fixed in 5.4.5. | < 5.0.0 – 5.4.4
@@ -40,16 +40,17 @@ A vulnerability has been identified in the NeuVector version up to and including
 | public\_key | Verifier’s public key | Request body | Create/update verifier in Sigstore page | NeuVector |
 
 :::note
-**Note:** NeuVector installations not using the single sign-on integration with Rancher Manager, and does not have Remote Repository Configuration enabled, are not affected by this issue.
+NeuVector installations that have the single sign-on integration with Rancher Manager and the Remote Repository Configuration disabled are not affected by this issue.
 :::
 
-In the patched version, X-R-Sess is partially masked so that users can confirm what it is being used while still keeping it safe for consumption. The log which includes `personal_access_token`, `token`, `rekor_public_key`, `root_cert`, `sct_public_key`, `public key` are removed, as the request body is not mandatory in the log.
+In the patched version, X-R-Sess is partially masked so that users can confirm what is being used while still keeping it safe for consumption. The log, which includes `personal_access_token`, `token`, `rekor_public_key`, `root_cert`, `sct_public_key`, and `public key` are removed, as the request body is not mandatory in the log.
 
 :::note
 * The severity of the vulnerability depends on your logging strategy.
    * **Local logging (default)**: Limits exposure of impact.
    * **External logging**: Vulnerability’s severity increases, the impact depends on security measures implemented at the external log collector level.
 * The final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.
+:::
 
 Please consult the associated [Unsecured credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.
 
@@ -66,5 +67,5 @@ No workarounds are currently available. Customers are advised to upgrade to a fi
 * Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy).
 * Open an issue in the [NeuVector GitHub repository](https://github.com/neuvector/neuvector/issues/new/choose).
 * References:
-  ** [NeuVector Support Matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/)
-  ** [Product Support Lifecycle](https://www.suse.com/lifecycle/#suse-security)
\ No newline at end of file
+   * [NeuVector Support Matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/)
+   * [Product Support Lifecycle](https://www.suse.com/lifecycle/#suse-security)
\ No newline at end of file
diff --git a/versioned_docs/version-5.4/16.security_advisories/01.security_advisories/cve.md b/versioned_docs/version-5.4/16.security_advisories/01.security_advisories/cve.md
index 6b126c31..f3fa7c1d 100644
--- a/versioned_docs/version-5.4/16.security_advisories/01.security_advisories/cve.md
+++ b/versioned_docs/version-5.4/16.security_advisories/01.security_advisories/cve.md
@@ -7,8 +7,12 @@ NeuVector is committed to informing the community of security issues. Below is a
 | ID | Description | Date | Release |
 | :---- | :---- | :---- | :---- |
 | [CVE-2025-8077](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56) | For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
-| [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords. For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
 | [CVE-2025-54467](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq) | By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| CVE-2025-46808 | Sensitive information may be logged in the manager container depending on logging configuration and credential permissions. For more information, refer to [ Sensitive information exposure in NeuVector manager container logs](#sensitive-information-exposure-in-neuvector-manager-container-logs) | 09 Jul 2025 | [NeuVector v5.4.5](https://github.com/neuvector/neuvector/releases/tag/v5.4.5) |
+
+
+| — | . Fixed in 5.4.5. | < 5.0.0 – 5.4.4
 
 ## Sensitive information exposure in NeuVector manager container logs
 
@@ -36,16 +40,17 @@ A vulnerability has been identified in the NeuVector version up to and including
 | public\_key | Verifier’s public key | Request body | Create/update verifier in Sigstore page | NeuVector |
 
 :::note
-**Note:** NeuVector installations not using the single sign-on integration with Rancher Manager, and does not have Remote Repository Configuration enabled, are not affected by this issue.
+NeuVector installations that have the single sign-on integration with Rancher Manager and the Remote Repository Configuration disabled are not affected by this issue.
 :::
 
-In the patched version, X-R-Sess is partially masked so that users can confirm what it is being used while still keeping it safe for consumption. The log which includes `personal_access_token`, `token`, `rekor_public_key`, `root_cert`, `sct_public_key`, `public key` are removed, as the request body is not mandatory in the log.
+In the patched version, X-R-Sess is partially masked so that users can confirm what is being used while still keeping it safe for consumption. The log, which includes `personal_access_token`, `token`, `rekor_public_key`, `root_cert`, `sct_public_key`, and `public key` are removed, as the request body is not mandatory in the log.
 
 :::note
 * The severity of the vulnerability depends on your logging strategy.
    * **Local logging (default)**: Limits exposure of impact.
    * **External logging**: Vulnerability’s severity increases, the impact depends on security measures implemented at the external log collector level.
 * The final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.
+:::
 
 Please consult the associated [Unsecured credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.
 
@@ -62,5 +67,5 @@ No workarounds are currently available. Customers are advised to upgrade to a fi
 * Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy).
 * Open an issue in the [NeuVector GitHub repository](https://github.com/neuvector/neuvector/issues/new/choose).
 * References:
-  ** [NeuVector Support Matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/)
-  ** [Product Support Lifecycle](https://www.suse.com/lifecycle/#suse-security)
\ No newline at end of file
+   * [NeuVector Support Matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/)
+   * [Product Support Lifecycle](https://www.suse.com/lifecycle/#suse-security)
\ No newline at end of file