Skip to main content

Steeltoe Configuration EUVDEUVD-2026-37820

| CVE-2026-50267 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-06-17 GitHub_M GHSA-rxrh-4j9h-xgg9
4.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.7 MEDIUM

Local attack vector and a separately-UID'd co-process in /tmp are required, justifying AV:L and AC:H; exposed TLS private keys warrant C:H with no integrity or availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 02, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 23:06 vuln.today
Analysis Generated
Jun 17, 2026 - 23:06 vuln.today

DescriptionCVE.org

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from VCAP_SERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath() using File.CreateText. On Linux, File.CreateText creates files with mode 0644 (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode 0400 in /proc/<pid>/environ. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue. If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to /tmp.

AnalysisAI

Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local process access to container
Delivery
Enumerate world-readable files in /tmp
Exploit
Identify Steeltoe-written TLS credential files
Execution
Extract SSL private key material
Persist
Present stolen client certificate to database
Impact
Impersonate application in mTLS session

Vulnerability AssessmentAI

Exploitation All four of the following conditions must be met simultaneously: (1) The application must run Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 - earlier and later versions are not affected; (2) The Cloud Foundry environment must supply MySQL or PostgreSQL service bindings in VCAP_SERVICES that include TLS client credentials (ssl-cert, ssl-key, ssl-ca for MySQL; SSL Certificate, SSL Key, Root Certificate for PostgreSQL) - bindings without TLS client certs do not trigger the vulnerable code path; (3) The host operating system must be Linux - the fix code explicitly bypasses the secure file creation path on Windows, and File.CreateText on Windows does not produce world-readable files in the same way; (4) The attacker must have local process execution capability within the same container under a UID different from the application process UID, with read access to Path.GetTempPath(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, score 4.7) accurately characterizes this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege local execution within a Linux Cloud Foundry container running a Steeltoe 4.0.0-4.1.0 application with MySQL or PostgreSQL TLS bindings can enumerate /tmp for world-readable PEM files written by the Connectors library, extract the TLS private key, and subsequently impersonate the application to the database server in mTLS-authenticated sessions. No public exploit code has been identified, but the attack requires only standard file system enumeration tools once local access is established.
Remediation Upgrade to Steeltoe.Configuration.Abstractions 4.2.0, which is the vendor-released patch that resolves both the insecure file permissions (switching to mode 0600 via FileStreamOptions.UnixCreateMode on Linux) and the missing temp-file cleanup (IDisposable pattern across CloudFoundryPostProcessor and PostProcessorConfigurationProvider). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

CVE-2026-30860 CRITICAL POC
9.9 Mar 07

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c

CVE-2021-47748 CRITICAL POC
9.8 Jan 21

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-32248 CRITICAL POC
9.8 Mar 12

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Share

EUVD-2026-37820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy