CRITICAL🇵🇱 Wersja polska

CVE-2025-41240

CVSS 10.0v3.1pub. 2025-07-24upd. 2026-04-15

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.

🤖 AI Analysis
How it works

Kubernetes secrets are mounted as files in the container under the path /opt/bitnami/*/secrets, which is simultaneously located within the web server's document root directory. The default value of the usePasswordFiles=true parameter causes automatic mounting of secrets as files in the container's file system. A remote attacker without any authentication can access these files by sending an HTTP/S request to the appropriate, predictable URL. External exposure of the application is a necessary condition.

Impact

An attacker can retrieve sensitive authentication credentials (e.g., passwords, tokens, API keys) stored as Kubernetes secrets without authentication, which may lead to complete takeover of the application and associated infrastructure.

Mitigation & patch

Apply patches available from the vendor according to references (https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w). Until updating, consider disabling the usePasswordFiles=true parameter or limiting external exposure of the application and blocking access to the /opt/bitnami/*/secrets path at the web server configuration level.

Who is affected

Deployments of three Bitnami Helm charts using the default value of the usePasswordFiles=true parameter; specific chart names and versions are indicated in the vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References