VDB
KO
HIGH 7.5

GHSA-q62h-354g-5r85

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords

Details

### Summary

The `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses.

### Impact

Any caller who can reach `/actuator/env` can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.

### Affected configuration

- Application configuration contains credentials in `ConnectionStrings:*` or `*:ConnectionString` keys. - On standard deployments: `env` is added to `Management:Endpoints:Actuator:Exposure:Include`. This is not the default. - On Cloud Foundry: the `/cloudfoundryapplication/env` path is accessible to any authenticated CF user with `read_basic_data` permissions (Space Auditor and above) regardless of the exposure configuration.

### Mitigations

If an immediate upgrade is not possible:

- On the standard path, remove `env` from the actuator exposure list. - Add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths. - Require authorization on actuator endpoints.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Steeltoe.Management.Endpoint
Introduced in: 0 Fixed in: 4.2.0
Fix dotnet add package Steeltoe.Management.Endpoint --version 4.2.0
NuGet / Steeltoe.Management.EndpointCore
Introduced in: 0 Fixed in: 3.4.0
Fix dotnet add package Steeltoe.Management.EndpointCore --version 3.4.0

References