Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings: or Steeltoe Connectors' Steeltoe:Client::Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove env from the actuator exposure list; add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <4.2.0
Patches
Vulnerability mechanics
Root cause
"The Sanitizer component did not include `.*connectionstring.*` in its default key-suffix list and lacked value-based scrubbing, so connection strings and embedded credentials were returned verbatim in `/actuator/env` responses."
Attack vector
An attacker who can reach the `/actuator/env` HTTP endpoint (typically exposed without authentication in development or misconfigured deployments) can retrieve full configuration values. Because the default sanitizer key list did not cover `.*connectionstring.*`, keys such as `ConnectionStrings:OrderDb` or `Steeltoe:Client:postgresql:Default:ConnectionString` were returned unmasked. Even when a key was not on the sanitize list, the value itself could contain embedded credentials (e.g., `Password=secret` or `amqp://user:pass@host`) that were not scrubbed, leaking database passwords, queue credentials, and other secrets. [ref_id=1]
Affected code
The `Sanitizer` class in `Steeltoe.Management.Endpoint` (and `Steeltoe.Management.EndpointBase`) is at fault. The default key-suffix list in `EnvironmentEndpointOptions` / `EnvEndpointOptions` did not include `.*connectionstring.*`, so keys like `ConnectionStrings:<name>` and `Steeltoe:Client:<type>:Default:ConnectionString` were not matched. Additionally, the `Sanitizer.Sanitize()` method had no value-based scrubbing, so embedded `Password=`, `Pwd=`, and `user:pass@` segments inside connection-string or URI values were returned verbatim. [patch_id=6466807] [patch_id=6466806]
What the fix does
The patch adds `.*connectionstring.*` to the default `KeysToSanitize` list in both `ConfigureEnvironmentEndpointOptions` and `EnvEndpointOptions`, so keys like `ConnectionStrings:OrderDb` are fully masked (`******`). More importantly, the `Sanitizer.Sanitize()` method now applies two regular expressions to every value: one that replaces `Password=` or `Pwd=` (case-insensitive) with `******`, and another that replaces the password portion of `user:pass@` in URI-like values with `******`. This means even if a key is not on the sanitize list, embedded credentials inside connection strings and URIs are still redacted. [patch_id=6466807] [patch_id=6466806]
Preconditions
- networkThe /actuator/env endpoint must be exposed and reachable by the attacker.
- authNo authorization or access control on the actuator endpoint (or the attacker has valid credentials).
- inputThe application configuration must contain connection strings or URI values with embedded credentials under keys not previously covered by the sanitizer list.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/SteeltoeOSS/Steeltoe/commit/bef9f14b710232fca3fbe87e48fdd1b9e6b60d43mitrex_refsource_MISC
- github.com/SteeltoeOSS/Steeltoe/commit/e50cd31a429b191841120f0d38fa9dda8f751b0amitrex_refsource_MISC
- github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-q62h-354g-5r85mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.