A critical vulnerability exists in three Bitnami Helm charts where sensitive Kubernetes Secrets are exposed via the web server. This misconfiguration places secret data, such as database credentials and API keys, in a publicly accessible web directory. An unauthenticated attacker can easily download these secrets, potentially leading to a complete compromise of the application, data theft, and unauthorized access to underlying infrastructure.

The affected Bitnami Helm charts are configured to mount Kubernetes Secrets to a predictable file path (/opt/bitnami/*/secrets). This path is located within the web server's document root, making the contents directly accessible over the internet. An unauthenticated remote attacker can exploit this by crafting a simple HTTP GET request to the known path (e.g., http://[vulnerable-app-url]/secrets/[secret-file-name]) to retrieve the sensitive information contained within the secrets. The exposure of these credentials can grant an attacker privileged access to databases, APIs, and other critical components of the application stack.

This vulnerability is rated as critical severity with a CVSS score of 10. Exploitation could lead to a complete loss of confidentiality, integrity, and availability. An attacker gaining access to administrative credentials from the exposed secrets can steal or manipulate sensitive business and customer data, disrupt services by shutting down or destroying infrastructure, and use the compromised system as a pivot point for further attacks into the corporate network. The direct financial impact could be severe, stemming from regulatory fines for data breaches (e.g., GDPR, CCPA), incident response costs, and significant reputational damage.

Immediate Action: Immediately apply the patches provided by Bitnami by updating the affected Helm charts to the latest, non-vulnerable versions. After patching, it is crucial to rotate all secrets that were potentially exposed, including database passwords, API keys, and certificates.

Proactive Monitoring: Security teams should actively monitor web server access logs for any requests targeting paths containing /secrets/. Implement alerts for HTTP 404 responses to these paths, as this could indicate scanning activity. Monitor for unusual outbound network traffic from affected pods, which may be a sign of data exfiltration or an attacker using stolen credentials.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block all incoming requests to URL paths containing /secrets/. Additionally, apply a Kubernetes Network Policy to restrict egress traffic from the affected pods, allowing connections only to known, legitimate endpoints to prevent data exfiltration and lateral movement.

Public Exploit Available: True

Given the critical CVSS score of 10 and the trivial nature of exploitation, this vulnerability represents a clear and present danger to the organization. We recommend that this vulnerability be treated as an emergency. The immediate priority is to apply the vendor-supplied updates to all affected applications. Following the update, a thorough investigation must be conducted, including a review of historical access logs, to identify any signs of prior compromise. Although not yet on the CISA KEV list as of its publication date, its severity makes it a prime candidate, and it should be remediated with the highest urgency.