CVE-2025-22248 (GCVE-0-2025-22248)
Vulnerability from cvelistv5 – Published: 2025-05-13 09:13 – Updated: 2025-05-13 13:10
VLAI?
Summary
The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust level. This allows to log into a PostgreSQL database using the repgmr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha Kubernetes Helm chart.
Severity ?
CWE
- CWE-1188 - Initialization of a Resource with an Insecure Default
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:10:00.979591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Initialization of a Resource with an Insecure Default",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:10:31.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "bitnami/pgpool",
"product": "Bitnami",
"vendor": "VMware",
"versions": [
{
"lessThan": "4.6.0-debian-12-r8",
"status": "affected",
"version": "*",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"packageName": "bitnami/postgres-ha",
"product": "Bitnami",
"vendor": "VMware",
"versions": [
{
"lessThan": "16.0.0",
"status": "affected",
"version": "*",
"versionType": "git"
}
]
}
],
"datePublic": "2025-05-13T08:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe \u003c/span\u003e\u003ccode\u003ebitnami/pgpool\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Docker image, and the \u003c/span\u003e\u003ccode\u003ebitnami/postgres-ha\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;k8s chart, under default configurations, comes with an \u0027repmgr\u0027 user that allows unauthenticated access to the database inside the cluster.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe \u003c/span\u003e\u003ccode\u003ePGPOOL_SR_CHECK_USER\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at \u003c/span\u003e\u003ccode\u003etrust\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;level. This allows to log into a PostgreSQL database using the \u003c/span\u003e\u003ccode\u003erepgmr\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the \u003c/span\u003e\u003ccode\u003ebitnami/postgres-ha\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Kubernetes Helm chart.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The bitnami/pgpool\u00a0Docker image, and the bitnami/postgres-ha\u00a0k8s chart, under default configurations, comes with an \u0027repmgr\u0027 user that allows unauthenticated access to the database inside the cluster.\u00a0The PGPOOL_SR_CHECK_USER\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\u00a0level. This allows to log into a PostgreSQL database using the repgmr\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\u00a0Kubernetes Helm chart."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T09:13:30.613Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[pgpool] Unauthenticated access to postgres through pgpool",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22248",
"datePublished": "2025-05-13T09:13:30.613Z",
"dateReserved": "2025-01-02T04:30:19.929Z",
"dateUpdated": "2025-05-13T13:10:31.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-22248\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2025-05-13T10:15:22.600\",\"lastModified\":\"2025-07-18T18:58:21.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The bitnami/pgpool\u00a0Docker image, and the bitnami/postgres-ha\u00a0k8s chart, under default configurations, comes with an \u0027repmgr\u0027 user that allows unauthenticated access to the database inside the cluster.\u00a0The PGPOOL_SR_CHECK_USER\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\u00a0level. This allows to log into a PostgreSQL database using the repgmr\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\u00a0Kubernetes Helm chart.\"},{\"lang\":\"es\",\"value\":\"La imagen de Docker bitnami/pgpool y el diagrama k8s bitnami/postgres-ha, en la configuraci\u00f3n predeterminada, incluyen el usuario \\\"repmgr\\\" que permite el acceso no autenticado a la base de datos dentro del cl\u00faster. PGPOOL_SR_CHECK_USER es el usuario que Pgpool utiliza para realizar comprobaciones de replicaci\u00f3n en streaming en los nodos y no debe tener un nivel de confianza. Esto permite iniciar sesi\u00f3n en una base de datos PostgreSQL con el usuario \\\"repmgr\\\" sin autenticaci\u00f3n. Si Pgpool se expone externamente, un atacante podr\u00eda usar este usuario para acceder al servicio. Esto tambi\u00e9n est\u00e1 presente en el diagrama Helm de Kubernetes bitnami/postgres-ha.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1188\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:broadcom:bitnami:*:*:*:*:*:postgresql:*:*\",\"versionEndExcluding\":\"16.0.0\",\"matchCriteriaId\":\"B227ABBF-D7EE-4E2C-ACCC-893DF02D8010\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:broadcom:bitnami\\\\/pgpool:*:*:*:*:*:docker:*:*\",\"versionEndExcluding\":\"4.6.0-1\",\"matchCriteriaId\":\"7D03A055-CE7B-4DA8-BC58-CE5EF3C448AC\"}]}]}],\"references\":[{\"url\":\"https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj\",\"source\":\"security@vmware.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22248\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-13T13:10:00.979591Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1188\", \"description\": \"CWE-1188 Initialization of a Resource with an Insecure Default\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-13T13:10:26.931Z\"}}], \"cna\": {\"title\": \"[pgpool] Unauthenticated access to postgres through pgpool\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\"}]}], \"affected\": [{\"vendor\": \"VMware\", \"product\": \"Bitnami\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"lessThan\": \"4.6.0-debian-12-r8\", \"versionType\": \"git\"}], \"packageName\": \"bitnami/pgpool\", \"defaultStatus\": \"affected\"}, {\"vendor\": \"VMware\", \"product\": \"Bitnami\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"lessThan\": \"16.0.0\", \"versionType\": \"git\"}], \"packageName\": \"bitnami/postgres-ha\", \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-05-13T08:09:00.000Z\", \"references\": [{\"url\": \"https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The bitnami/pgpool\\u00a0Docker image, and the bitnami/postgres-ha\\u00a0k8s chart, under default configurations, comes with an \u0027repmgr\u0027 user that allows unauthenticated access to the database inside the cluster.\\u00a0The PGPOOL_SR_CHECK_USER\\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\\u00a0level. This allows to log into a PostgreSQL database using the repgmr\\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\\u00a0Kubernetes Helm chart.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe \u003c/span\u003e\u003ccode\u003ebitnami/pgpool\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;Docker image, and the \u003c/span\u003e\u003ccode\u003ebitnami/postgres-ha\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;k8s chart, under default configurations, comes with an \u0027repmgr\u0027 user that allows unauthenticated access to the database inside the cluster.\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe \u003c/span\u003e\u003ccode\u003ePGPOOL_SR_CHECK_USER\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at \u003c/span\u003e\u003ccode\u003etrust\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;level. This allows to log into a PostgreSQL database using the \u003c/span\u003e\u003ccode\u003erepgmr\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the \u003c/span\u003e\u003ccode\u003ebitnami/postgres-ha\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;Kubernetes Helm chart.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2025-05-13T09:13:30.613Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-22248\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-13T13:10:31.070Z\", \"dateReserved\": \"2025-01-02T04:30:19.929Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2025-05-13T09:13:30.613Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…