Mounted Kubernetes Secrets under a predictable path located within the web server document root

July 24, 2025 invoker category_cve

CVE Details

Basic Information

Title Mounted Kubernetes Secrets under a predictable path located within the web server document root
Type cve
Published 2025-07-24T06:42:25.254Z
Modified 2025-07-24T06:42:25.254Z

Product Information

Vendor VMware
Product bitnamicharts/appsmith
Version 21.2.0

CVSS Information

Base Score 10.0 (CRITICAL)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Analysis

AI Description A critical vulnerability in Bitnami Helm Charts allows unauthenticated access to sensitive Kubernetes Secrets via predictable paths within the web server document root. This could expose credentials and other sensitive data to remote attackers. The issue is exacerbated by the default configuration of usePasswordFiles=true, which mounts secrets as files in the container filesystem.
AI Severity Critical
AI Vendor VMware
AI Product Bitnami Helm Charts
AI Version 21.2.0

Affected Products

  • VMware bitnamicharts/appsmith 21.2.0
  • VMware bitnamicharts/drupal 5.2.0
  • VMware bitnamicharts/wordpress 24.2.0

Additional Information

Source vmware

Description

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root.
In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.