Description

Spring Boot Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own.

By default, all endpoints but shutdown are enabled but only health and info are exposed. This web application is configured with (management.endpoints.web.expose=* or management.endpoints.web.exposure.include=*) that is exposing all Spring Boot Actuator endpoints.

Remediation

Make sure you only enable the Spring Boot Actuator endpoints that you really need and restrict access to these endpoints. It's recommended to enable security for Spring Boot Actuator endpoints using the following configuration (in the Spring properties file): 

management.security.enabled=true

References

Spring Boot Actuator: Production-ready features

Related Vulnerabilities

Chrome Logger information disclosure

SAP NetWeaver server info information disclosure

TLS/SSL certificate key size too small

Apache Tapestry weak secret key

Apache Proxy HTTP CONNECT method enabled

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration