Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.
Kubernetes secrets are mounted as files in the container under the path /opt/bitnami/*/secrets, which is simultaneously located within the web server's document root directory. The default value of the usePasswordFiles=true parameter causes automatic mounting of secrets as files in the container's file system. A remote attacker without any authentication can access these files by sending an HTTP/S request to the appropriate, predictable URL. External exposure of the application is a necessary condition.
An attacker can retrieve sensitive authentication credentials (e.g., passwords, tokens, API keys) stored as Kubernetes secrets without authentication, which may lead to complete takeover of the application and associated infrastructure.
Apply patches available from the vendor according to references (https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w). Until updating, consider disabling the usePasswordFiles=true parameter or limiting external exposure of the application and blocking access to the /opt/bitnami/*/secrets path at the web server configuration level.
Deployments of three Bitnami Helm charts using the default value of the usePasswordFiles=true parameter; specific chart names and versions are indicated in the vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H