These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A low-severity vulnerability was found in Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0. The issue arises when configuring `encrypt:rsa:algorithm=OAEP`, which does not enable OAEP encryption due to an incorrect BouncyCastle transformation string. Instead, it selects PKCS#1 v1.5, the same algorithm as the `DEFAULT` setting. This vulnerability has a CVSS score of 1.9 and is considered low s [truncated]
Steeltoe Configuration Abstractions versions 4.0.0 through 4.1.0 are vulnerable to a medium-severity issue (CVSS score 4.7) where MySQL or PostgreSQL service bindings from `VCAP_SERVICES` including TLS client credentials are written to temporary files in `Path.GetTempPath()` with world-readable permissions (mode `0644`) on Linux systems. These files are never deleted and can be accessed by other processes [truncated]
Steeltoe, an open-source project for building cloud-native applications, has a vulnerability in its JWT signing key cache. The `TokenKeyResolver` uses only the `kid` as the cache key without namespacing by authority. This allows a key fetched for one `JwtBearer` scheme to satisfy token validation for another, potentially bypassing security checks. The issue affects Steeltoe.Security.Authentication.CloudFo [truncated]
Steeltoe Discovery.Eureka prior to versions 4.2.0 and 3.4.0 has a deserialization issue. The `DataCenterInfo.FromJson` method throws an `ArgumentException` for any `name` value other than 'MyOwn' or 'Amazon', despite the Java Eureka specification defining a third valid value: 'Netflix'. This exception propagates through the registry deserialization chain and is swallowed by the periodic cache refresh task [truncated]