H3-2022-0059¶

Spring Boot Configuration Properties Actuator Exposed

Description¶

Spring Boot is a Java web application development framework. Spring Boot's Actuator feature provides endpoints that allow developers to monitor and manage their applications. The misconfiguration involves enabling and exposing these actuator endpoints in a production environment. In particular, sensitive endpoints such as /env, /configprops, /heapdump, /logfile, or /shutdown should not be exposed as they can reveal server configuration details, memory dumps, log files, and allow restarts. An attacker can exploit this misconfiguration by simply accessing these endpoints via an HTTP request.

Impact¶

Exploiting this misconfiguration may allow an attacker to gain access to sensitive data, such as secrets and credentials, stored in the configuration properties of Spring beans. This can aid in attacks leading to further compromises.

References¶

• Perils of Spring Boot Actuators Misconfiguration
• Spring Docs
• CWE-215: Insertion of Sensitive Information Into Debugging Code