Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed

Summary#

Spring Boot Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own.

By default, all endpoints but shutdown are enabled but only health and info are exposed.

This web application is configured with management.endpoints.web.expose=* or management.endpoints.web.exposure.include=* that is exposing all Spring Boot Actuator endpoints.

Impact#

Some Actuator endpoints like the heapdump endpoint disclose very sensitive information such as the heap dump. Make sure you restrict access to these endpoints to prevent abuse.

Actions To Take#

Make sure you only enable the Spring Boot Actuator endpoints that you really need and restrict access to these endpoints.

It's recommended to enable security for Spring Boot Actuator endpoints using the following configuration (in the Spring properties file):

management.security.enabled=true

Classifications#

OWASP 2017-A6, OWASP 2013-A5, CWE-16, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed

Related Articles

Build your resistance to threats. And save hundreds of hours each month.