GHSA-q62h-354g-5r85
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
상세
### Summary
The `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses.
### Impact
Any caller who can reach `/actuator/env` can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.
### Affected configuration
- Application configuration contains credentials in `ConnectionStrings:*` or `*:ConnectionString` keys. - On standard deployments: `env` is added to `Management:Endpoints:Actuator:Exposure:Include`. This is not the default. - On Cloud Foundry: the `/cloudfoundryapplication/env` path is accessible to any authenticated CF user with `read_basic_data` permissions (Space Auditor and above) regardless of the exposure configuration.
### Mitigations
If an immediate upgrade is not possible:
- On the standard path, remove `env` from the actuator exposure list. - Add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths. - Require authorization on actuator endpoints.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 4.2.0 dotnet add package Steeltoe.Management.Endpoint --version 4.2.0 0 수정 버전: 3.4.0 dotnet add package Steeltoe.Management.EndpointCore --version 3.4.0 참고
- https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-q62h-354g-5r85 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-50200 [ADVISORY]
- https://github.com/SteeltoeOSS/Steeltoe/commit/bef9f14b710232fca3fbe87e48fdd1b9e6b60d43 [WEB]
- https://github.com/SteeltoeOSS/Steeltoe/commit/e50cd31a429b191841120f0d38fa9dda8f751b0a [WEB]
- https://github.com/SteeltoeOSS/Steeltoe [PACKAGE]