Skip to main content

Steeltoe Configuration Abstractions

1 CVEs product

Monthly

CVE-2026-50267 NuGet MEDIUM PATCH GHSA This Month

Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.

Information Disclosure PostgreSQL Steeltoe Configuration Abstractions
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.

Information Disclosure PostgreSQL Steeltoe Configuration Abstractions
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy