Description

This Spring Boot web application is configured with Admin MBean enabled. Spring Boot allows developers to enable admin-related features for the application by specifying the spring.application.admin.enabled property.

Remediation

In production websites it's recommended to disable the Admin MBean using the following configuration (in the Spring properties file): 

spring.application.admin.enabled=false

References

Appendix A. Common application properties

Related Vulnerabilities

The FREAK attack

Insecure Referrer Policy

Apache Tomcat version older than 7.0.30

Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28

Same site scripting

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration