Steeltoe.Management.Endpoint versions prior to 4.2.0 and Steeltoe.Management.EndpointCore versions prior to 3.4.0 contain a sensitive information exposure vulnerability (CWE-200) due to insufficient redaction of configuration values in the Environment actuator's Sanitizer component. The default redaction keys do not include .NET standard connection string keys or Steeltoe-specific connection string keys, resulting in full connection strings, including embedded passwords and credentials, being returned verbatim in /actuator/env responses. This can lead to unauthorized disclosure of sensitive credentials. The vulnerability has a CVSS 3.1 score of 7.5 (high severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. The issue is fixed in Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0. No official patch links or vendor advisory were provided in the input data.

Exploitation of this vulnerability allows an unauthenticated attacker to obtain sensitive configuration data, including full connection strings with embedded credentials, from the /actuator/env endpoint. This exposure can lead to compromise of connected systems or services that rely on these credentials. The vulnerability does not affect integrity or availability but has a high confidentiality impact.

A fix is available by upgrading to Steeltoe.Management.Endpoint 4.2.0 or later and Steeltoe.Management.EndpointCore 3.4.0 or later. If immediate upgrade is not possible, mitigate by removing the 'env' endpoint from the actuator exposure list, adding '.*connectionstring.*' to the KeysToSanitize configuration to enhance redaction, and/or enforcing authorization on actuator endpoints to restrict access. Patch status is not explicitly confirmed in the vendor advisory content provided; check the vendor advisory for current remediation guidance.