Steeltoe Configuration Abstractions
Monthly
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.