Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Local attack vector and a separately-UID'd co-process in /tmp are required, justifying AV:L and AC:H; exposed TLS private keys warrant C:H with no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from VCAP_SERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath() using File.CreateText. On Linux, File.CreateText creates files with mode 0644 (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode 0400 in /proc/<pid>/environ. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue. If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to /tmp.
AnalysisAI
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | All four of the following conditions must be met simultaneously: (1) The application must run Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 - earlier and later versions are not affected; (2) The Cloud Foundry environment must supply MySQL or PostgreSQL service bindings in VCAP_SERVICES that include TLS client credentials (ssl-cert, ssl-key, ssl-ca for MySQL; SSL Certificate, SSL Key, Root Certificate for PostgreSQL) - bindings without TLS client certs do not trigger the vulnerable code path; (3) The host operating system must be Linux - the fix code explicitly bypasses the secure file creation path on Windows, and File.CreateText on Windows does not produce world-readable files in the same way; (4) The attacker must have local process execution capability within the same container under a UID different from the application process UID, with read access to Path.GetTempPath(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, score 4.7) accurately characterizes this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privilege local execution within a Linux Cloud Foundry container running a Steeltoe 4.0.0-4.1.0 application with MySQL or PostgreSQL TLS bindings can enumerate /tmp for world-readable PEM files written by the Connectors library, extract the TLS private key, and subsequently impersonate the application to the database server in mTLS-authenticated sessions. No public exploit code has been identified, but the attack requires only standard file system enumeration tools once local access is established. |
| Remediation | Upgrade to Steeltoe.Configuration.Abstractions 4.2.0, which is the vendor-released patch that resolves both the insecure file permissions (switching to mode 0600 via FileStreamOptions.UnixCreateMode on Linux) and the missing temp-file cleanup (IDisposable pattern across CloudFoundryPostProcessor and PostProcessorConfigurationProvider). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c
Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th
SQL injection in Chartbrew before 4.8.3. PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37820
GHSA-rxrh-4j9h-xgg9