Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from `VCAP_SERVICES` include TLS client credentials, the Connectors library writes those credentials to temporary files in `Path.GetTempPath()` using `File.CreateText`. On Linux, `File.CreateText` creates files with mode `0644` (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode `0400` in `/proc/<pid>/environ`. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue. If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to `/tmp`.
Published: 2026-06-17
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0, where MySQL or PostgreSQL service bindings that include TLS client credentials are written to temporary files under the operating system's default temporary path. The files are created with permissions 0644 on Linux, meaning all users can read them, and they are never deleted. This allows an attacker who can read the file system to obtain private key material that should be secret, compromising confidentiality of TLS communications. The same key material is stored in /proc/<pid>/environ with stricter permissions, but the temporary file exposure presents a clear audit trail and a lower effort to obtain the secrets. Affected systems are all installations of the Steeltoe.Configuration.Abstractions library between versions 4.0.0 and 4.1.0 inclusive, maintained by SteeltoeOSS. The patch is delivered in version 4.2.0 and removes the insecure handling of key material.

Affected Systems

All installations of Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0 from SteeltoeOSS.

Risk and Exploitability

Risk and exploitability assessment: the CVSS score of 4.7 indicates moderate severity. The EPSS score of <1% suggests that the vulnerability is unlikely to be widely exploited in the near term, and it is not listed in CISA's KEV catalog. The likely attack vector is local to the container or host: an attacker with read access to the application's temporary directory can retrieve the keys. The vulnerability does not provide a remote code execution path, but it does enable credential leakage if the environment is not tightly controlled.

Generated by OpenCVE AI on June 18, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Steeltoe.Configuration.Abstractions to version 4.2.0 or later
  • If an upgrade is not possible, configure the container runtime to run all processes under a unique and protected UID that does not have read access to the system /tmp directory
  • Set a restrictive umask or mount the temporary directory with read‑only permissions for non‑privileged processes
  • Consider deleting any existing /tmp files containing TLS credentials before application shutdown or restart

Generated by OpenCVE AI on June 18, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from `VCAP_SERVICES` include TLS client credentials, the Connectors library writes those credentials to temporary files in `Path.GetTempPath()` using `File.CreateText`. On Linux, `File.CreateText` creates files with mode `0644` (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode `0400` in `/proc/<pid>/environ`. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue. If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to `/tmp`.
Title Steeltoe: TLS private keys written to /tmp with default permissions, never deleted
Weaknesses CWE-312
CWE-732
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:11:04.674Z

Reserved: 2026-06-04T16:26:05.984Z

Link: CVE-2026-50267

cve-icon Vulnrichment

Updated: 2026-06-18T19:10:49.952Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-312

    Cleartext Storage of Sensitive Information

  • CWE-732

    Incorrect Permission Assignment for Critical Resource