{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22248", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:30:19.929Z", "datePublished": "2025-05-13T09:13:30.613Z", "dateUpdated": "2025-05-13T13:10:31.070Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "bitnami/pgpool", "product": "Bitnami", "vendor": "VMware", "versions": [{"lessThan": "4.6.0-debian-12-r8", "status": "affected", "version": "*", "versionType": "git"}]}, {"defaultStatus": "affected", "packageName": "bitnami/postgres-ha", "product": "Bitnami", "vendor": "VMware", "versions": [{"lessThan": "16.0.0", "status": "affected", "version": "*", "versionType": "git"}]}], "datePublic": "2025-05-13T08:09:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The </span><code>bitnami/pgpool</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;Docker image, and the </span><code>bitnami/postgres-ha</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">The </span><code>PGPOOL_SR_CHECK_USER</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at </span><code>trust</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;level. This allows to log into a PostgreSQL database using the </span><code>repgmr</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the </span><code>bitnami/postgres-ha</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;Kubernetes Helm chart.</span></span><br>"}], "value": "The bitnami/pgpool\u00a0Docker image, and the bitnami/postgres-ha\u00a0k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster.\u00a0The PGPOOL_SR_CHECK_USER\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\u00a0level. This allows to log into a PostgreSQL database using the repgmr\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\u00a0Kubernetes Helm chart."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-05-13T09:13:30.613Z"}, "references": [{"url": "https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj"}], "source": {"discovery": "UNKNOWN"}, "title": "[pgpool] Unauthenticated access to postgres through pgpool", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1188", "lang": "en", "description": "CWE-1188 Initialization of a Resource with an Insecure Default"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-13T13:10:00.979591Z", "id": "CVE-2025-22248", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-13T13:10:31.070Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-13T13:10:00.979591Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188 Initialization of a Resource with an Insecure Default"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-13T13:10:26.931Z"}}], "cna": {"title": "[pgpool] Unauthenticated access to postgres through pgpool", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}], "affected": [{"vendor": "VMware", "product": "Bitnami", "versions": [{"status": "affected", "version": "*", "lessThan": "4.6.0-debian-12-r8", "versionType": "git"}], "packageName": "bitnami/pgpool", "defaultStatus": "affected"}, {"vendor": "VMware", "product": "Bitnami", "versions": [{"status": "affected", "version": "*", "lessThan": "16.0.0", "versionType": "git"}], "packageName": "bitnami/postgres-ha", "defaultStatus": "affected"}], "datePublic": "2025-05-13T08:09:00.000Z", "references": [{"url": "https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The bitnami/pgpool\u00a0Docker image, and the bitnami/postgres-ha\u00a0k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster.\u00a0The PGPOOL_SR_CHECK_USER\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\u00a0level. This allows to log into a PostgreSQL database using the repgmr\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\u00a0Kubernetes Helm chart.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The </span><code>bitnami/pgpool</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;Docker image, and the </span><code>bitnami/postgres-ha</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">The </span><code>PGPOOL_SR_CHECK_USER</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at </span><code>trust</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;level. This allows to log into a PostgreSQL database using the </span><code>repgmr</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the </span><code>bitnami/postgres-ha</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;Kubernetes Helm chart.</span></span><br>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-05-13T09:13:30.613Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22248", "state": "PUBLISHED", "dateUpdated": "2025-05-13T13:10:31.070Z", "dateReserved": "2025-01-02T04:30:19.929Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2025-05-13T09:13:30.613Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:bitnami:*:*:*:*:*:postgresql:*:*", "matchCriteriaId": "B227ABBF-D7EE-4E2C-ACCC-893DF02D8010", "versionEndExcluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:bitnami\\/pgpool:*:*:*:*:*:docker:*:*", "matchCriteriaId": "7D03A055-CE7B-4DA8-BC58-CE5EF3C448AC", "versionEndExcluding": "4.6.0-1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The bitnami/pgpool\u00a0Docker image, and the bitnami/postgres-ha\u00a0k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster.\u00a0The PGPOOL_SR_CHECK_USER\u00a0is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust\u00a0level. This allows to log into a PostgreSQL database using the repgmr\u00a0user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha\u00a0Kubernetes Helm chart."}, {"lang": "es", "value": "La imagen de Docker bitnami/pgpool y el diagrama k8s bitnami/postgres-ha, en la configuraci\u00f3n predeterminada, incluyen el usuario \"repmgr\" que permite el acceso no autenticado a la base de datos dentro del cl\u00faster. PGPOOL_SR_CHECK_USER es el usuario que Pgpool utiliza para realizar comprobaciones de replicaci\u00f3n en streaming en los nodos y no debe tener un nivel de confianza. Esto permite iniciar sesi\u00f3n en una base de datos PostgreSQL con el usuario \"repmgr\" sin autenticaci\u00f3n. Si Pgpool se expone externamente, un atacante podr\u00eda usar este usuario para acceder al servicio. Esto tambi\u00e9n est\u00e1 presente en el diagrama Helm de Kubernetes bitnami/postgres-ha."}], "id": "CVE-2025-22248", "lastModified": "2025-07-18T18:58:21.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2025-05-13T10:15:22.600", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}