Steeltoe Management Endpointcore
Monthly
Sensitive credential disclosure in Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before 3.4.0 allows remote attackers to retrieve plaintext database connection strings, embedded passwords, and URI userinfo segments via the `/actuator/env` endpoint. The Sanitizer's default key-suffix list omits the standard .NET `ConnectionStrings:<name>` pattern and the Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString` pattern, and performs no value-based scrubbing. No public exploit identified at time of analysis, but the fix and test cases are committed in public GitHub history, making the vulnerable behavior easy to reproduce.
Improper authentication in Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 allows remote unauthenticated attackers to reach actuator endpoints intended to be isolated on a separate management port by spoofing the HTTP Host header. The middleware trusted the client-supplied Host header port instead of the actual TCP socket port, defeating port-based access restrictions and enabling information disclosure from sensitive actuator endpoints. No public exploit identified at time of analysis, though the fix commit and a regression test demonstrating Host-header spoofing are publicly available on GitHub.
Sensitive credential disclosure in Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before 3.4.0 allows remote attackers to retrieve plaintext database connection strings, embedded passwords, and URI userinfo segments via the `/actuator/env` endpoint. The Sanitizer's default key-suffix list omits the standard .NET `ConnectionStrings:<name>` pattern and the Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString` pattern, and performs no value-based scrubbing. No public exploit identified at time of analysis, but the fix and test cases are committed in public GitHub history, making the vulnerable behavior easy to reproduce.
Improper authentication in Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 allows remote unauthenticated attackers to reach actuator endpoints intended to be isolated on a separate management port by spoofing the HTTP Host header. The middleware trusted the client-supplied Host header port instead of the actual TCP socket port, defeating port-based access restrictions and enabling information disclosure from sensitive actuator endpoints. No public exploit identified at time of analysis, though the fix commit and a regression test demonstrating Host-header spoofing are publicly available on GitHub.