### Impact

A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.

### Patches

Upgrade to NeuVector [version 5.2.2](https://open-docs.neuvector.com/releasenotes/5x) or later and latest Helm chart (2.6.3+).
+ In 5.2.2 the certificate for JWT-signing is created automatically by controller with validity of 90days and rotated automatically.
+ Use Helm-based deployment/upgrade to 5.2.2 to generate a unique certificate for Manager, REST API, ahd registry adapter. Helm based installation/upgrade is required in order to automatically generate certificates upon initial installation and each subsequent upgrade.
+ See [release notes](https://open-docs.neuvector.com/releasenotes/5x) for manual/yaml based deployment advice.
+ 5.2.2 also implements additional protections against possible RCE for the feature of custom compliance scripts.

### Workarounds

Users can replace the Manager & Controller certificate manually by following the instructions in documented [here](https://open-docs.neuvector.com/configuration/console/replacecert). However, upgrading to 5.2.2 and replacing Manager/REST API certificate is recommended to provide additional security enhancements to prevent possible attempted exploit and resulting RCE. See [release notes](https://open-docs.neuvector.com/releasenotes/5x) for additional details.

### For More Information

View the NeuVector [Security Policy](https://github.com/neuvector/neuvector/security)

General NeuVector [documentation](https://open-docs.neuvector.com/)Read More