H3-2022-0058
Jolokia Local File Inclusion Misconfiguration
Category | SECURITY_MISCONFIGURATION |
Base Score | 7.5 |
Description
Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms.
Impact
When the Jolokia Library is in the target application classpath, it is automatically exposed by Spring Boot under the '/jolokia' actuator endpoint. The DiagnosticCommand MBean and compilerDirectivesAdd function can be used to disclose the contents of arbitrary files on the misconfigured host.