PT-2026-55418 · Nuget · Steeltoe.Configuration.Abstractions

Published

2026-07-02

·

Updated

2026-07-02

CVSS v3.1

4.7

Medium

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

When MySQL or PostgreSQL service bindings from VCAP SERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath() using File.CreateText. On Linux, File.CreateText creates files with mode 0644 (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode 0400 in /proc/<pid>/environ.

Impact

Any process co-located in the container that runs as a different UID can read the TLS client private key from /tmp and use it to impersonate the application when connecting to the backing database over mutual TLS.

Affected configuration

  • Application is deployed on Cloud Foundry or another environment that populates VCAP SERVICES with a MySQL or PostgreSQL service binding that includes sslKey credentials.
  • A process running as a different UID shares the container's filesystem.

Mitigations

If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to /tmp.

Fix

Incorrect Permission

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-RXRH-4J9H-XGG9

Affected Products

Steeltoe.Configuration.Abstractions