Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable unauthenticated read of /actuator/env yields high confidentiality loss, but AC:H reflects the required non-default exposure of the env actuator and use of unmatched key names.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove env from the actuator exposure list; add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.
AnalysisAI
Sensitive credential disclosure in Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before 3.4.0 allows remote attackers to retrieve plaintext database connection strings, embedded passwords, and URI userinfo segments via the /actuator/env endpoint. The Sanitizer's default key-suffix list omits the standard .NET ConnectionStrings:<name> pattern and the Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString pattern, and performs no value-based scrubbing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the Steeltoe `env` actuator endpoint is included in the actuator exposure list AND is reachable by the attacker AND is not protected by an ASP.NET authorization policy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) is plausible only when the `env` actuator is exposed without authentication - a known-bad but unfortunately common deployment pattern that mirrors the Spring Boot Actuator exposure issues seen historically. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a publicly reachable Steeltoe-based .NET service and issues a single GET request to `/actuator/env`, receiving a JSON document containing the application's full `ConnectionStrings:*` values with embedded SQL Server, PostgreSQL, or RabbitMQ credentials. The attacker pivots by connecting directly to the disclosed database or message broker using the harvested credentials. … |
| Remediation | Vendor-released patch: upgrade Steeltoe.Management.Endpoint to 4.2.0 or Steeltoe.Management.EndpointCore to 3.4.0, which add `.*connectionstring.*` to the default sanitization list and introduce value-based scrubbing of embedded `Password=`/`Pwd=` pairs and URI userinfo (commits bef9f14b and e50cd31a). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit systems running Steeltoe.Management.Endpoint <4.2.0 or EndpointCore <3.4.0; restrict network access to /actuator/env endpoint using firewall, WAF, or network controls; immediately rotate all database connection credentials and embedded authentication secrets. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Steeltoe Management Endpoint
View allImproper authentication in Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 allows remote unauthenti
Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, env
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37811
GHSA-q62h-354g-5r85