New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
HIGH 7.5 NuGet

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords

GHSA-q62h-354g-5r85 · CVE-2026-50200

Published · Modified

Description

Summary

The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses.

Impact

Any caller who can reach /actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.

Affected configuration

  • Application configuration contains credentials in ConnectionStrings:* or *:ConnectionString keys.
  • On standard deployments: env is added to Management:Endpoints:Actuator:Exposure:Include. This is not the default.
  • On Cloud Foundry: the /cloudfoundryapplication/env path is accessible to any authenticated CF user with read_basic_data permissions (Space Auditor and above) regardless of the exposure configuration.

Mitigations

If an immediate upgrade is not possible:

  • On the standard path, remove env from the actuator exposure list.
  • Add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths.
  • Require authorization on actuator endpoints.

Ready to move

Start Securing

Free, no credit card | First findings in minutes