PT-2026-55418 · Nuget · Steeltoe.Configuration.Abstractions
Published
2026-07-02
·
Updated
2026-07-02
CVSS v3.1
4.7
Medium
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Summary
When MySQL or PostgreSQL service bindings from
VCAP SERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath() using File.CreateText. On Linux, File.CreateText creates files with mode 0644 (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode 0400 in /proc/<pid>/environ.Impact
Any process co-located in the container that runs as a different UID can read the TLS client private key from
/tmp and use it to impersonate the application when connecting to the backing database over mutual TLS.Affected configuration
- Application is deployed on Cloud Foundry or another environment that populates
VCAP SERVICESwith a MySQL or PostgreSQL service binding that includessslKeycredentials. - A process running as a different UID shares the container's filesystem.
Mitigations
If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to
/tmp.Fix
Incorrect Permission
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Steeltoe.Configuration.Abstractions