GHSA-q62h-354g-5r85

Suggest an improvement
Source
https://github.com/advisories/GHSA-q62h-354g-5r85
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q62h-354g-5r85/GHSA-q62h-354g-5r85.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q62h-354g-5r85
Aliases
  • CVE-2026-50200
Published
2026-07-02T20:31:11Z
Modified
2026-07-02T20:45:16.479764051Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Details

Summary

The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses.

Impact

Any caller who can reach /actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.

Affected configuration

  • Application configuration contains credentials in ConnectionStrings:* or *:ConnectionString keys.
  • On standard deployments: env is added to Management:Endpoints:Actuator:Exposure:Include. This is not the default.
  • On Cloud Foundry: the /cloudfoundryapplication/env path is accessible to any authenticated CF user with read_basic_data permissions (Space Auditor and above) regardless of the exposure configuration.

Mitigations

If an immediate upgrade is not possible:

  • On the standard path, remove env from the actuator exposure list.
  • Add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths.
  • Require authorization on actuator endpoints.
Database specific
{
    "github_reviewed_at": "2026-07-02T20:31:11Z",
    "nvd_published_at": "2026-06-17T22:16:24Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-319"
    ],
    "severity": "HIGH"
}
References

Affected packages

NuGet / Steeltoe.Management.Endpoint

Package

Name
Steeltoe.Management.Endpoint
View open source insights on deps.dev
Purl
pkg:nuget/Steeltoe.Management.Endpoint

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.0

Affected versions

1.*
1.1.0-rc3
1.1.0
4.*
4.0.0-beta1
4.0.0-rc1
4.0.0
4.1.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q62h-354g-5r85/GHSA-q62h-354g-5r85.json"
last_known_affected_version_range
"<= 4.1.0"

NuGet / Steeltoe.Management.EndpointCore

Package

Name
Steeltoe.Management.EndpointCore
View open source insights on deps.dev
Purl
pkg:nuget/Steeltoe.Management.EndpointCore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.0

Affected versions

2.*
2.0.0-rc1
2.0.0
2.0.1
2.1.0-rc1
2.1.0
2.1.1
2.2.0-rc1
2.2.0-rc2
2.2.0
2.2.1
2.3.0-rc1
2.3.0-rc2
2.3.0
2.4.0-rc1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
3.*
3.0.0-m1
3.0.0-m2
3.0.0-m3
3.0.0-rc1
3.0.0
3.0.1
3.0.2
3.1.0-rc1
3.1.0-rc2
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0-rc1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.3.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q62h-354g-5r85/GHSA-q62h-354g-5r85.json"
last_known_affected_version_range
"<= 3.3.0"