If you think you have found a security vulnerability, please DO NOT disclose it publicly until we've had a chance to fix it. Please don’t report security vulnerabilities using GitHub issues, instead head over to Steeltoe Security Policy and learn how to disclose them responsibly.
Security: SteeltoeOSS/security-advisories
Security
SECURITY.md
-
OAEP setting silently selects PKCS#1 v1.5 paddingGHSA-4j9m-h44m-2hv8 published
May 29, 2026 by TimHessLow -
TLS private keys written to /tmp with default permissions, never deletedGHSA-rxrh-4j9h-xgg9 published
May 29, 2026 by TimHessModerate -
Static JWKS cache shared across schemes and never invalidatedGHSA-7fqc-p256-7pwj published
May 29, 2026 by TimHessModerate -
Sensitive actuators (heapdump/env) only require Restricted permissionGHSA-227r-jm2g-7cp4 published
May 29, 2026 by TimHessModerate -
Env sanitizer misses connection strings — leaks embedded DB passwordsGHSA-q62h-354g-5r85 published
May 29, 2026 by TimHessHigh -
Unrecognized DataCenterInfo.Name poisons entire registry fetchGHSA-j8ph-6fxj-g533 published
May 29, 2026 by TimHessHigh -
Management-port isolation bypass via spoofed Host headerGHSA-58f6-6rj2-3v8r published
May 29, 2026 by TimHessHigh -
Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer AwarenessGHSA-vmcp-66r5-3pcp published
Jul 17, 2024 by TimHessLow
Learn more about advisories related to SteeltoeOSS/security-advisories in the GitHub Advisory Database