Karl.Fail

Tag: score:9.4

  • Critical Sandbox Escape in Google Cloud Application Integration (CVE-2025-0982)

    Overview

    A critical vulnerability identified as CVE-2025-0982 affects the JavaScript Task feature in Google Cloud Application Integration. The flaw allows attackers to escape the sandbox environment and execute arbitrary, unsandboxed code through crafted JavaScript executed by the Rhino engine.

    Technical Details

    This vulnerability is classified under CWE-829: Inclusion of Functionality from Untrusted Control Sphere. It arises from the use of Rhino, an open-source JavaScript engine implemented in Java, which failed to enforce proper sandboxing in Application Integration’s JavaScript Tasks.

    When malicious JavaScript code is injected into the task feature, it can bypass expected security restrictions and interact directly with the underlying system in ways that violate the sandbox boundaries. This functionality bypass is also categorized under CAPEC-554.

    Severity and CVSS Score

    The vulnerability has been assigned a CVSS 4.0 base score of 9.4 (Critical), with the following vector string:

    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality & Integrity Impact: High
    • Availability Impact: None

    Although the attack requires a high level of sophistication, no user interaction or prior privileges are needed, which increases the severity from an exposure perspective.

    Mitigation and Vendor Response

    Google has addressed this issue by deprecating the use of the Rhino engine in Application Integration, effective January 24, 2025. No additional mitigation steps are required, and the transition away from Rhino eliminates the vulnerable component from the platform.

    Recommendations

    • Ensure your environment is not relying on outdated or unsupported JavaScript execution engines like Rhino.
    • Confirm that Application Integration environments have transitioned away from Rhino as per Google’s release notes.
    • Avoid including untrusted code in integration workflows or task definitions, even in sandboxed environments.

    Conclusion

    CVE-2025-0982 demonstrates how deeply integrated third-party engines like Rhino can become a liability when not adequately sandboxed. While Google has acted preemptively by removing support, users must verify that their systems are updated accordingly to avoid lingering exposure.

    For additional details, review the official documentation from Google:

    Release Notes – January 23, 2025

  • CVE-2025-22248: Unauthenticated Access via Default Pgpool Configuration in Bitnami PostgreSQL Deployments

    Critical Default Configuration Vulnerability in Bitnami Pgpool and Postgres-HA

    On May 13, 2025, a critical vulnerability identified as CVE-2025-22248 was disclosed, affecting Bitnami’s pgpool Docker image and the bitnami/postgres-ha Kubernetes Helm chart. This flaw permits unauthenticated access to PostgreSQL databases due to insecure default user settings.

    Understanding the Vulnerability

    The issue stems from the inclusion of a user account named repmgr, configured by default without authentication controls. This account is intended for internal streaming replication checks by Pgpool, controlled via the PGPOOL_SR_CHECK_USER setting.

    However, in affected configurations, this user is set to a trust level that does not require authentication. If Pgpool is exposed to external networks, an attacker could exploit this configuration to:

    • Access the PostgreSQL database without authentication
    • Potentially compromise data confidentiality, integrity, and availability

    CVSS 4.0 Score and Impact

    This vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.4. The vector string is:

    CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

    The scoring details reveal:

    • Attack Vector: Adjacent network (e.g., same Kubernetes cluster)
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality/Integrity/Availability Impact: High

    This configuration flaw exemplifies CWE-1188: Initialization of a Resource with an Insecure Default, which refers to the use of weak or unsafe defaults in software deployments.

    Affected Versions

    The following Bitnami components are impacted:

    • bitnami/pgpool versions prior to 4.6.0-debian-12-r8
    • bitnami/postgres-ha versions prior to 16.0.0

    These defaults are present in both Docker and Kubernetes Helm chart deployments.

    Remediation

    Organizations using affected versions should:

    • Update to the latest fixed versions of pgpool and postgres-ha
    • Audit and secure all default database users
    • Restrict external exposure of Pgpool where unnecessary

    Bitnami has provided updated packages and advisories through their GitHub repository.

    Conclusion

    CVE-2025-22248 is a strong reminder of the dangers posed by insecure default configurations, especially in cloud-native environments. Administrators must not rely on default security settings and should proactively review deployment parameters to reduce risk.

    References