Karl.Fail

Tag: bitnami

  • CVE-2025-22248: Unauthenticated Access via Default Pgpool Configuration in Bitnami PostgreSQL Deployments

    Critical Default Configuration Vulnerability in Bitnami Pgpool and Postgres-HA

    On May 13, 2025, a critical vulnerability identified as CVE-2025-22248 was disclosed, affecting Bitnami’s pgpool Docker image and the bitnami/postgres-ha Kubernetes Helm chart. This flaw permits unauthenticated access to PostgreSQL databases due to insecure default user settings.

    Understanding the Vulnerability

    The issue stems from the inclusion of a user account named repmgr, configured by default without authentication controls. This account is intended for internal streaming replication checks by Pgpool, controlled via the PGPOOL_SR_CHECK_USER setting.

    However, in affected configurations, this user is set to a trust level that does not require authentication. If Pgpool is exposed to external networks, an attacker could exploit this configuration to:

    • Access the PostgreSQL database without authentication
    • Potentially compromise data confidentiality, integrity, and availability

    CVSS 4.0 Score and Impact

    This vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.4. The vector string is:

    CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

    The scoring details reveal:

    • Attack Vector: Adjacent network (e.g., same Kubernetes cluster)
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality/Integrity/Availability Impact: High

    This configuration flaw exemplifies CWE-1188: Initialization of a Resource with an Insecure Default, which refers to the use of weak or unsafe defaults in software deployments.

    Affected Versions

    The following Bitnami components are impacted:

    • bitnami/pgpool versions prior to 4.6.0-debian-12-r8
    • bitnami/postgres-ha versions prior to 16.0.0

    These defaults are present in both Docker and Kubernetes Helm chart deployments.

    Remediation

    Organizations using affected versions should:

    • Update to the latest fixed versions of pgpool and postgres-ha
    • Audit and secure all default database users
    • Restrict external exposure of Pgpool where unnecessary

    Bitnami has provided updated packages and advisories through their GitHub repository.

    Conclusion

    CVE-2025-22248 is a strong reminder of the dangers posed by insecure default configurations, especially in cloud-native environments. Administrators must not rely on default security settings and should proactively review deployment parameters to reduce risk.

    References