GHSA-227R-JM2G-7CP4

Vulnerability from github – Published: 2026-07-02 20:31 – Updated: 2026-07-02 20:31
VLAI
Summary
Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission
Details

Summary

All Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which is mapped to Cloud Foundry's read_basic_data permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to EndpointPermissions.Full, so CF's read_sensitive_data permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with read_sensitive_data by default.

Impact

Any CF user holding Space Auditor, Space Manager, or Org Auditor role can access the heap dump, environment, and thread dump actuators for any Steeltoe application in their space. A heap dump contains all in-memory data including database passwords, bearer tokens, and VCAP_SERVICES credentials. CF's read_sensitive_data permission, which is specifically designed to gate this access, has no effect.

Affected configuration

  • Application is deployed on Cloud Foundry with CF actuator and security middleware active (added automatically by AddAllActuators() when a CF environment is detected).
  • The attacker holds a CF role that grants read_basic_data: Space Auditor, Space Manager, or Org Auditor.

Mitigations

If an immediate upgrade is not possible:

  • Explicitly set RequiredPermissions = EndpointPermissions.Full in the options for HeapDumpEndpointOptions, EnvironmentEndpointOptions, and ThreadDumpEndpointOptions.
  • If heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using AddAllActuators().
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Management.Endpoint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Management.EndpointBase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:31:26Z",
    "nvd_published_at": "2026-06-17T23:17:04Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAll Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mapped to Cloud Foundry\u0027s `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF\u0027s `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot\u0027s equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default.\n\n### Impact\n\nAny CF user holding Space Auditor, Space Manager, or Org Auditor role can access the heap dump, environment, and thread dump actuators for any Steeltoe application in their space. A heap dump contains all in-memory data including database passwords, bearer tokens, and VCAP_SERVICES credentials. CF\u0027s `read_sensitive_data` permission, which is specifically designed to gate this access, has no effect.\n\n### Affected configuration\n\n- Application is deployed on Cloud Foundry with CF actuator and security middleware active (added automatically by `AddAllActuators()` when a CF environment is detected).\n- The attacker holds a CF role that grants `read_basic_data`: Space Auditor, Space Manager, or Org Auditor.\n\n### Mitigations\n\nIf an immediate upgrade is not possible:\n\n- Explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`.\n- If heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.",
  "id": "GHSA-227r-jm2g-7cp4",
  "modified": "2026-07-02T20:31:26Z",
  "published": "2026-07-02T20:31:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-227r-jm2g-7cp4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/b39defa4db5f44f8696c456866b3a5b900d8d96b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/da6c604decd992f61aeef763f5814102dcb088c7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SteeltoeOSS/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Steeltoe\u0027s sensitive actuators (heapdump/env) only require Restricted permission"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…