CVE-2025-22248

The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust level. This allows to log into a PostgreSQL database using the repgmr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha Kubernetes Helm chart.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:broadcom:bitnami::::::postgresql::*
	cpe:2.3:a:broadcom:bitnami\/pgpool::::::docker::*

History

18 Jul 2025, 18:58

Type	Values Removed	Values Added
First Time		Broadcom bitnami\/pgpool
CPE	cpe:2.3:a:broadcom:bitnami_popool::::::docker::*	cpe:2.3:a:broadcom:bitnami\/pgpool::::::docker::*

16 Jul 2025, 18:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-13 10:15

Updated : 2025-07-18 18:58

NVD link : CVE-2025-22248

Mitre link : CVE-2025-22248

CVE.ORG link : CVE-2025-22248

JSON object : View

Products Affected

broadcom

bitnami
bitnami\/pgpool

CWE

CWE-1188

Initialization of a Resource with an Insecure Default

{"id": "CVE-2025-22248", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-13T10:15:22.600", "references": [{"url": "https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-1188"}]}], "descriptions": [{"lang": "en", "value": "The bitnami/pgpool\u00a0Docker image, and the bitnami/postgres-ha\u00a0k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster.\u00a0The PGPOOL_SR_CHECK_USER\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\u00a0level. This allows to log into a PostgreSQL database using the repgmr\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\u00a0Kubernetes Helm chart."}, {"lang": "es", "value": "La imagen de Docker bitnami/pgpool y el diagrama k8s bitnami/postgres-ha, en la configuraci\u00f3n predeterminada, incluyen el usuario \"repmgr\" que permite el acceso no autenticado a la base de datos dentro del cl\u00faster. PGPOOL_SR_CHECK_USER es el usuario que Pgpool utiliza para realizar comprobaciones de replicaci\u00f3n en streaming en los nodos y no debe tener un nivel de confianza. Esto permite iniciar sesi\u00f3n en una base de datos PostgreSQL con el usuario \"repmgr\" sin autenticaci\u00f3n. Si Pgpool se expone externamente, un atacante podr\u00eda usar este usuario para acceder al servicio. Esto tambi\u00e9n est\u00e1 presente en el diagrama Helm de Kubernetes bitnami/postgres-ha."}], "lastModified": "2025-07-18T18:58:21.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:bitnami:*:*:*:*:*:postgresql:*:*", "vulnerable": true, "matchCriteriaId": "B227ABBF-D7EE-4E2C-ACCC-893DF02D8010", "versionEndExcluding": "16.0.0"}, {"criteria": "cpe:2.3:a:broadcom:bitnami\\/pgpool:*:*:*:*:*:docker:*:*", "vulnerable": true, "matchCriteriaId": "7D03A055-CE7B-4DA8-BC58-CE5EF3C448AC", "versionEndExcluding": "4.6.0-1"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}