Bitnami Helm Charts Unauthenticated Secrets Access Vulnerability

A vulnerability exists in certain Bitnami Helm charts that mount Kubernetes Secrets under a predictable path within the web server document root. This issue affects Bitnami charts for WordPress, Appsmith, and Drupal, specifically in versions of WordPress through 25.0.4, Appsmith through 6.0.19, and Drupal through 22.0.4. In these affected versions, the default setting of 'usePasswordFiles=true' leads to unauthenticated access to sensitive credentials via HTTP or HTTPS. Remote attackers could exploit this vulnerability to retrieve these secrets by accessing specific URLs, provided the application is exposed externally.

Impact

The vulnerability allows remote attackers to access sensitive secrets through predictable URL paths, potentially leading to unauthorized disclosure of credentials.

Remediation

Users are advised to upgrade to the first unaffected version of each chart. As a workaround, those using the Helm chart deployment with 'usePasswordFiles=true' can switch to using environment variables instead of mounting secrets as files, which prevents the secrets from being served via the web root. Alternatively, web server or ingress rules can be applied to restrict access to the secrets path.