java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml

Author
unknown
Download Count*
License
Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.
Run Locally
Run in CI
Defintion
rules:
- id: spring-actuator-fully-enabled-yaml
patterns:
- pattern-inside: |
management:
...
endpoints:
...
web:
...
exposure:
...
- pattern: |
include: "*"
message: Spring Boot Actuator is fully enabled. This exposes sensitive endpoints
such as /actuator/env, /actuator/logfile, /actuator/heapdump and others.
Unless you have Spring Security enabled or another means to protect these
endpoints, this functionality is available without authentication, causing
a severe security risk.
severity: WARNING
languages:
- yaml
metadata:
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
references:
- https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints
- https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785
- https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators
category: security
technology:
- spring
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
spring-actuator-fully-enabled-yaml.test.yaml
server:
port: 8081
management:
endpoints:
web:
# ok: spring-actuator-fully-enabled-yaml
base-path: /internal
exposure:
# ruleid: spring-actuator-fully-enabled-yaml
include: "*"
Short Link: https://sg.run/1Bzw