Summary

Acunetix 360 detected the Spring Boot Actuator Endpoint.

Impact

Actuator endpoints allow you to monitor and interact with your Spring application. Spring Boot includes a number of built-in endpoints and you can also add your own. For example the health endpoint provides basic application health information. The following endpoints are available:

  • /autoconfig - Displays an auto-configuration report showing all auto-configuration candidates and the reason why they 'were' or 'were not' applied.

  • /beans - Displays a complete list of all the Spring beans in your application.

  • /configprops - Displays a collated list of all @ConfigurationProperties.

  • /dump - Performs a thread dump.

  • /env - Exposes properties from Spring's ConfigurableEnvironment.

  • /health - Shows application health information (a simple 'status' when accessed over an unauthenticated connection or full message details when authenticated).

  • /info - Displays arbitrary application info.

  • /metrics - Shows 'metrics' information for the current application.

  • /mappings - Displays a collated list of all @RequestMapping paths.

  • /shutdown - Allows the application to be gracefully shutdown (not enabled by default).

  • /trace - Displays trace information (by default the last few HTTP requests).

Remediation

In production, it is recommended to disable access to these endpoints.

Remedy References

Severity

Medium

Classification

CWE-489 OWASP 2013-A5 OWASP 2017-A6