java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled
returntocorpAuthor
5,552
Download Count*
License
Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.
Run Locally
Run in CI
Defintion
rules:
- id: spring-actuator-fully-enabled
pattern: management.endpoints.web.exposure.include=*
message: Spring Boot Actuator is fully enabled. This exposes sensitive endpoints
such as /actuator/env, /actuator/logfile, /actuator/heapdump and others.
Unless you have Spring Security enabled or another means to protect these
endpoints, this functionality is available without authentication, causing
a severe security risk.
severity: WARNING
languages:
- generic
paths:
include:
- "*properties"
metadata:
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
references:
- https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints
- https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785
- https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators
category: security
technology:
- spring
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
spring-actuator-fully-enabled.properties
# ok: spring-actuator-fully-enabled
foo=bar
# ruleid: spring-actuator-fully-enabled
management.endpoints.web.exposure.include=*
Short Link: https://sg.run/L0vY