Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Sanitizer component in Steeltoe's Environment actuator does not redact keys related to connection strings, resulting in the /actuator/env endpoint revealing full connection strings that contain passwords or user credentials. This leads to disclosure of confidential data needed for database access. The weakness is classified as CWE‑200 and CWE‑319.

Affected Systems

Affected versions are Steeltoe.Management.Endpoint prior to 4.2.0 and Steeltoe.Management.EndpointCore prior to 3.4.0, distributed under the SteeltoeOSS organization. The patch is available in 4.2.0 for Endpoint and 3.4.0 for EndpointCore.

Risk and Exploitability

Based on the description, it is inferred that if the actuator endpoints are publicly reachable, an attacker can simply issue a GET request to /actuator/env to obtain sensitive credentials. The CVSS score of 7.5 indicates a high impact, while the EPSS score of <1% shows a low likelihood of exploitation at the time of this analysis. If access is restricted, the risk is confined to authenticated or internal users. This vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Steeltoe.Management.Endpoint 4.2.0 or later, and Steeltoe.Management.EndpointCore 3.4.0 or later to apply the patch.
  • Remove the 'env' endpoint from the actuator exposure list to prevent unintended disclosure of environment data.
  • Add the regex '.*connectionstring.*' to the KeysToSanitize configuration to scrub connection strings in existing data.
  • Configure actuator endpoints to require authentication and appropriate authorization to restrict access to privileged users.

Generated by OpenCVE AI on June 18, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.
Title Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Weaknesses CWE-200
CWE-319
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T15:45:27.834Z

Reserved: 2026-06-03T22:05:13.645Z

Link: CVE-2026-50200

cve-icon Vulnrichment

Updated: 2026-06-18T15:45:23.650Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-319

    Cleartext Transmission of Sensitive Information