CVE-2025-22248

Name of the Vulnerable Software and Affected Versions: bitnami/pgpool (affected versions not specified) bitnami/postgres-ha (affected versions not specified)

Description: The bitnami/pgpool Docker image and the bitnami/postgres-ha k8s chart, under default configurations, come with a repmgr user that allows unauthenticated access to the database inside the cluster. The PGPOOL SR CHECK USER is the user that Pgpool itself uses to perform streaming replication checks against nodes and should not be at trust level. This allows logging into a PostgreSQL database using the repmgr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service.

Recommendations: For bitnami/pgpool, consider disabling the repmgr user or restricting its access until a patch is available. For bitnami/postgres-ha, restrict access to the repmgr user to minimize the risk of exploitation. As a temporary workaround, consider updating the configuration to remove the repmgr user from the trust level. At the moment, there is no information about a newer version that contains a fix for this vulnerability.