PT-2026-55409 · Nuget · Steeltoe.Management.Endpoint+1

Publicado

2026-07-02

·

Atualizado

2026-07-02

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses.

Impact

Any caller who can reach /actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.

Affected configuration

  • Application configuration contains credentials in ConnectionStrings:* or *:ConnectionString keys.
  • On standard deployments: env is added to Management:Endpoints:Actuator:Exposure:Include. This is not the default.
  • On Cloud Foundry: the /cloudfoundryapplication/env path is accessible to any authenticated CF user with read basic data permissions (Space Auditor and above) regardless of the exposure configuration.

Mitigations

If an immediate upgrade is not possible:
  • On the standard path, remove env from the actuator exposure list.
  • Add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths.
  • Require authorization on actuator endpoints.

Correção

Information Disclosure

Cleartext Transmission of Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-Q62H-354G-5R85

Produtos afetados

Steeltoe.Management.Endpoint
Steeltoe.Management.Endpointcore