CVE-2025-22248

HIGH

bitnami/pgpool & bitnami/postgres-ha - Info Disclosure

Title source: llm

Description

The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust level. This allows to log into a PostgreSQL database using the repgmr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha Kubernetes Helm chart.

References (1)

[Vendor Advisory] https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj

Scores

CVSS v3 7.5

EPSS 0.0027

EPSS Percentile 50.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-1188

Status published

Affected Products (2)

broadcom/bitnami < 16.0.0

broadcom/bitnami\/pgpool < 4.6.0-1

Timeline

Published May 13, 2025

Tracked Since Feb 18, 2026