PT-2026-55409 · Nuget · Steeltoe.Management.Endpoint+1
Publicado
2026-07-02
·
Atualizado
2026-07-02
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Summary
The
Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses.Impact
Any caller who can reach
/actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.Affected configuration
- Application configuration contains credentials in
ConnectionStrings:*or*:ConnectionStringkeys. - On standard deployments:
envis added toManagement:Endpoints:Actuator:Exposure:Include. This is not the default. - On Cloud Foundry: the
/cloudfoundryapplication/envpath is accessible to any authenticated CF user withread basic datapermissions (Space Auditor and above) regardless of the exposure configuration.
Mitigations
If an immediate upgrade is not possible:
- On the standard path, remove
envfrom the actuator exposure list. - Add
.*connectionstring.*toKeysToSanitizeas a defense-in-depth measure for both paths. - Require authorization on actuator endpoints.
Correção
Information Disclosure
Cleartext Transmission of Sensitive Information
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Steeltoe.Management.Endpoint
Steeltoe.Management.Endpointcore