Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
GHSA-q62h-354g-5r85 · CVE-2026-50200
Published · Modified
Description
Summary
The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses.
Impact
Any caller who can reach /actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.
Affected configuration
- Application configuration contains credentials in
ConnectionStrings:*or*:ConnectionStringkeys. - On standard deployments:
envis added toManagement:Endpoints:Actuator:Exposure:Include. This is not the default. - On Cloud Foundry: the
/cloudfoundryapplication/envpath is accessible to any authenticated CF user withread_basic_datapermissions (Space Auditor and above) regardless of the exposure configuration.
Mitigations
If an immediate upgrade is not possible:
- On the standard path, remove
envfrom the actuator exposure list. - Add
.*connectionstring.*toKeysToSanitizeas a defense-in-depth measure for both paths. - Require authorization on actuator endpoints.
References
- WEB https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-q62h-354g-5r85
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-50200
- WEB https://github.com/SteeltoeOSS/Steeltoe/commit/bef9f14b710232fca3fbe87e48fdd1b9e6b60d43
- WEB https://github.com/SteeltoeOSS/Steeltoe/commit/e50cd31a429b191841120f0d38fa9dda8f751b0a
- PACKAGE https://github.com/SteeltoeOSS/Steeltoe
Ready to move
Start Securing
Free, no credit card | First findings in minutes