<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Steeltoe - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/steeltoe/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:24:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/steeltoe/feed.xml" rel="self" type="application/rss+xml"/><item><title>Steeltoe Host Header Bypass Vulnerability (CVE-2026-50194)</title><link>https://feed.craftedsignal.io/briefs/2026-07-steeltoe-host-header-bypass/</link><pubDate>Fri, 03 Jul 2026 11:24:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-steeltoe-host-header-bypass/</guid><description>An unauthenticated remote attacker can bypass port isolation in Steeltoe applications configured with `Management:Endpoints:Port` by spoofing the Host HTTP header, allowing access to all actuator endpoints (CVE-2026-50194).</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-50194) in Steeltoe applications allows unauthenticated remote attackers to bypass port isolation for management endpoints. This flaw affects configurations where <code>Management:Endpoints:Port</code> is explicitly set to a port different from the application's primary listener. The middleware, intended to restrict access, incorrectly relies on the <code>Host</code> HTTP header rather than the actual network socket port. By crafting a request with a spoofed <code>Host</code> header specifying the management port, attackers can trick the application into granting access to all actuator endpoints. This enables unauthorized control, information disclosure, and potential configuration manipulation, making it a high-severity concern for organizations using vulnerable Steeltoe versions, specifically <code>Steeltoe.Management.Endpoint</code> up to 4.1.0 and <code>Steeltoe.Management.EndpointCore</code> versions between 3.2.2 and 3.3.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a publicly accessible Steeltoe application that is likely using management endpoints.</li>
<li>The target Steeltoe application is configured with <code>Management:Endpoints:Port</code> set to a port different from its main listener (e.g., application on 80/443, management on 8080).</li>
<li>Attacker crafts an HTTP request targeting the application's main listener port, typically 80 or 443.</li>
<li>The crafted request includes a spoofed <code>Host</code> HTTP header, setting its value to the application's domain combined with the configured <code>Management:Endpoints:Port</code> (e.g., <code>Host: example.com:8080</code>).</li>
<li>The request scheme (HTTP/HTTPS) matches the <code>Management:Endpoints:SslEnabled</code> setting of the application.</li>
<li>The Steeltoe middleware, upon receiving the request, evaluates the <code>Host</code> header for port isolation rather than the actual socket port the request arrived on.</li>
<li>The spoofed <code>Host</code> header causes the middleware to erroneously permit access as if the request originated on the designated management port.</li>
<li>Attacker gains unauthenticated access to all management actuator endpoints (e.g., <code>/actuator/health</code>, <code>/actuator/env</code>), enabling information disclosure or potential configuration changes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-50194 grants unauthenticated remote attackers full access to Steeltoe's management actuator endpoints. This can lead to severe consequences, including sensitive information disclosure (e.g., environment variables, application configuration), arbitrary configuration modifications, and potentially remote code execution if certain actuators are exposed and misconfigured. While no specific victim count has been reported, any organization deploying Steeltoe applications with the described vulnerable configuration is at risk. The ease of exploitation via a simple HTTP header manipulation makes this a high-risk vulnerability for data exposure and unauthorized system control.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>Steeltoe.Management.Endpoint</code> to version 4.1.1 or higher, and <code>Steeltoe.Management.EndpointCore</code> to version 3.3.1 or higher, to address CVE-2026-50194.</li>
<li>Deploy the provided Sigma rule to your SIEM, tuning <code>cs-host</code> to match your expected application domain and monitoring for <code>cs-uri-stem</code> containing <code>/actuator/</code> with unexpected port values in the <code>Host</code> header.</li>
<li>Implement explicit ASP.NET Core authorization (<code>RequireAuthorization</code>) on all sensitive actuator endpoints as a defense-in-depth measure, as recommended by the Steeltoe advisory.</li>
<li>Configure reverse proxies or load balancers in front of Steeltoe applications to strictly enforce expected <code>Host</code> header values, preventing clients from specifying arbitrary ports.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web-exploitation</category><category>cve</category><category>dotnet</category><category>bypass</category></item><item><title>Steeltoe.Discovery.Eureka Deserialization Denial-of-Service (CVE-2026-50196)</title><link>https://feed.craftedsignal.io/briefs/2026-07-steeltoe-eureka-deserialization-dos/</link><pubDate>Fri, 03 Jul 2026 11:23:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-steeltoe-eureka-deserialization-dos/</guid><description>The Steeltoe.Discovery.Eureka client contains a vulnerability (CVE-2026-50196) where its `DataCenterInfo.FromJson` method throws an `ArgumentException` if a `DataCenterInfo.name` value other than 'MyOwn' or 'Amazon' is encountered, specifically missing the valid 'Netflix' value from the Java Eureka specification, which causes the local service registry to become permanently empty or stale, leading to a complete service discovery outage for all connected Steeltoe Eureka clients.</description><content:encoded><![CDATA[<p>The Steeltoe.Discovery.Eureka client contains a critical vulnerability, identified as CVE-2026-50196, that can lead to a complete service discovery outage. The flaw resides in the <code>DataCenterInfo.FromJson</code> method, which is responsible for deserializing service registry information. This method incorrectly throws an <code>ArgumentException</code> when it encounters any <code>DataCenterInfo.name</code> value other than &quot;MyOwn&quot; or &quot;Amazon&quot;. Crucially, the valid &quot;Netflix&quot; value, specified in the Java Eureka standard, is unrecognized. This exception propagates through the entire registry deserialization chain and is silently swallowed by the client's periodic cache refresh task. Consequently, the Steeltoe client's local service registry remains permanently empty or stale, severing its ability to perform service lookups. This issue affects versions <code>&gt;= 4.0.0, &lt;= 4.1.0</code> and versions <code>&lt;= 3.3.0</code> of the <code>nuget/Steeltoe.Discovery.Eureka</code> package. It matters for defenders because a single, legitimate registration by a Java or Spring service in a mixed environment can inadvertently trigger a widespread denial of service for all Steeltoe clients.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A legitimate non-Steeltoe Eureka client (e.g., a Java or Spring Boot application) registers itself with a Eureka server.</li>
<li>The registering client sends its <code>DataCenterInfo.name</code> as &quot;Netflix&quot;, which is a valid value according to the Java Eureka specification.</li>
<li>A Steeltoe Eureka client (using the vulnerable <code>Steeltoe.Discovery.Eureka</code> package) attempts to fetch the full service registry from the Eureka server via an HTTP GET request.</li>
<li>During the internal deserialization process of the fetched registry data, the Steeltoe client's <code>DataCenterInfo.FromJson</code> method encounters the &quot;Netflix&quot; value for <code>DataCenterInfo.name</code>.</li>
<li>The <code>DataCenterInfo.FromJson</code> method, which only recognizes &quot;MyOwn&quot; or &quot;Amazon&quot; as valid names, incorrectly throws an <code>ArgumentException</code>.</li>
<li>This <code>ArgumentException</code> propagates through the registry fetch process and is subsequently swallowed by the Steeltoe client's periodic cache refresh task.</li>
<li>The Steeltoe client's local service registry cache fails to populate or update, leading to a persistent empty or stale state.</li>
<li>Impact: All services relying on this Steeltoe client for service discovery experience a complete outage due to the inability to resolve service lookups, which persists until the triggering registration is removed.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability results in a complete and persistent service discovery outage for all Steeltoe Eureka clients connected to the affected registry. New clients will start with an empty service registry, while running clients will cease to refresh their local cache, effectively rendering them unable to locate or communicate with other services. This outage is triggered by the presence of a single registration with an unrecognized <code>DataCenterInfo.name</code> (such as &quot;Netflix&quot;, which is valid in Java Eureka). It can be inadvertently caused by legitimate Java or Spring services in a mixed environment, leading to widespread unavailability across microservice architectures until the problematic registration is manually removed from the Eureka server.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize upgrading all instances of <code>Steeltoe.Discovery.Eureka</code> to a patched version that addresses CVE-2026-50196.</li>
<li>If immediate upgrade is not possible, audit your Eureka registry for any registrations using <code>DataCenterInfo.name</code> values other than &quot;MyOwn&quot; or &quot;Amazon&quot;, specifically &quot;Netflix&quot;, and remove them.</li>
<li>In environments with mixed Java/Spring and Steeltoe Eureka clients, proactively audit for the presence of the <code>Netflix</code> data center type before deploying Steeltoe Eureka clients to prevent CVE-2026-50196 from being triggered.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>service-discovery</category><category>.net</category><category>java</category><category>denial-of-service</category></item><item><title>Steeltoe Environment Actuator Vulnerability (CVE-2026-50200) Leaks Database Passwords</title><link>https://feed.craftedsignal.io/briefs/2026-07-steeltoe-env-sanitizer-leak/</link><pubDate>Fri, 03 Jul 2026 11:22:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-steeltoe-env-sanitizer-leak/</guid><description>A high-severity vulnerability, CVE-2026-50200, in the Steeltoe `Sanitizer` component of the Environment actuator allows for the unintended disclosure of sensitive connection string values, including embedded plaintext credentials, when the `/actuator/env` endpoint is accessed, enabling direct database connection and bypassing application-tier security.</description><content:encoded><![CDATA[<p>A significant vulnerability, identified as CVE-2026-50200, affects the <code>Sanitizer</code> component within the Environment actuator of Steeltoe applications, specifically <code>Steeltoe.Management.Endpoint</code> versions <code>&lt;= 4.1.0</code> and <code>Steeltoe.Management.EndpointCore</code> versions <code>&lt;= 3.3.0</code>. This flaw allows sensitive connection string details, including embedded plaintext passwords and user credentials, to be exposed verbatim when the <code>/actuator/env</code> endpoint is accessed. The default sanitization rules fail to cover standard .NET <code>ConnectionStrings:&lt;name&gt;</code> or Steeltoe Connectors' <code>Steeltoe:Client:&lt;type&gt;:Default:ConnectionString</code> patterns. This means that if <code>env</code> is exposed in <code>Management:Endpoints:Actuator:Exposure:Include</code> on standard deployments, or if accessed by an authenticated Cloud Foundry user with <code>read_basic_data</code> permissions via <code>/cloudfoundryapplication/env</code>, an attacker can retrieve critical database credentials, leading to direct access to backend databases and circumventing application-level security controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker conducts reconnaissance to identify a publicly accessible or internally exposed Steeltoe application endpoint, specifically targeting <code>/actuator/env</code> or <code>/cloudfoundryapplication/env</code>.</li>
<li>The attacker sends an unauthenticated (if publicly exposed) or authenticated (if Cloud Foundry with <code>read_basic_data</code> permissions) HTTP GET request to the identified <code>/actuator/env</code> or <code>/cloudfoundryapplication/env</code> endpoint.</li>
<li>The Steeltoe application's Environment actuator processes the request to display environment properties.</li>
<li>Due to the flaw in the <code>Sanitizer</code> component (CVE-2026-50200), configuration keys such as <code>ConnectionStrings:&lt;name&gt;</code> or <code>*:ConnectionString</code> are not properly redacted.</li>
<li>The application returns the full, unsanitized connection string values, which include plaintext credentials like <code>Password=</code> or <code>user:pass@host</code>, in the HTTP response body.</li>
<li>The attacker extracts these sensitive database credentials from the response.</li>
<li>Using the obtained credentials, the attacker establishes a direct connection to the backend database.</li>
<li>The attacker can then perform data exfiltration, manipulation, or further persistence actions on the database, bypassing the application layer.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Organizations running vulnerable Steeltoe applications are at high risk of credential compromise and direct database access. If successfully exploited, this vulnerability allows attackers to retrieve plaintext database credentials from the <code>/actuator/env</code> endpoint. This direct access to databases, such as SQL Server, PostgreSQL, or MySQL, can lead to severe consequences including unauthorized data exfiltration, data tampering, service disruption, and potential lateral movement within the network. The scope of impact is broad, affecting any organization utilizing Steeltoe where the actuator environment endpoint is exposed, either intentionally or inadvertently, without proper sanitization or authorization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>nuget/Steeltoe.Management.Endpoint</code> to version <code>4.1.1</code> or later, and <code>nuget/Steeltoe.Management.EndpointCore</code> to version <code>3.3.1</code> or later, to patch CVE-2026-50200.</li>
<li>If immediate upgrade is not possible, remove <code>env</code> from <code>Management:Endpoints:Actuator:Exposure:Include</code> in your application configuration to prevent access via the standard path.</li>
<li>As a defense-in-depth measure, add <code>.*connectionstring.*</code> to the <code>KeysToSanitize</code> list in your Steeltoe configuration to ensure these patterns are redacted.</li>
<li>Enforce strong authorization on all actuator endpoints to limit access to trusted personnel and systems, as described in the brief's attack chain.</li>
<li>Deploy the <code>Detects CVE-2026-50200 Exploitation - Access to Steeltoe /actuator/env</code> Sigma rule to your SIEM and tune for legitimate access patterns.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>vulnerability</category><category>.net</category><category>steeltoe</category><category>webserver</category><category>actuator</category></item></channel></rss>