VDB
KO
HIGH 8.2

GHSA-58f6-6rj2-3v8r

Steeltoe vulnerable to management-port isolation bypass via spoofed Host header

Details

### Summary

When Steeltoe management endpoints are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port.

### Impact

An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.

### Affected configuration

- The application's public port is accessible over from the network. - `Management:Endpoints:Port` is configured to a value different from the application's main listener port. - The request scheme matches `Management:Endpoints:SslEnabled`. For example, `http` when `SslEnabled` is `false` (the default), or `https` when `SslEnabled` is `true`.

### Mitigations

If an immediate upgrade to a patched version is not possible:

- Add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation. - Configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Steeltoe.Management.Endpoint
Introduced in: 0 Fixed in: 4.2.0
Fix dotnet add package Steeltoe.Management.Endpoint --version 4.2.0
NuGet / Steeltoe.Management.EndpointCore
Introduced in: 3.2.2 Fixed in: 3.4.0
Fix dotnet add package Steeltoe.Management.EndpointCore --version 3.4.0

References