java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled
returntocorpAuthor
unknown
Download Count*
License
Spring Boot Actuators "$...ACTUATORS" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.
Run Locally
Run in CI
Defintion
rules:
- id: spring-actuator-dangerous-endpoints-enabled
patterns:
- pattern: management.endpoints.web.exposure.include=$...ACTUATORS
- metavariable-comparison:
metavariable: $...ACTUATORS
comparison: not str($...ACTUATORS) in ["health","*"]
message: Spring Boot Actuators "$...ACTUATORS" are enabled. Depending on the
actuators, this can pose a significant security risk. Please double-check
if the actuators are needed and properly secured.
severity: WARNING
languages:
- generic
options:
generic_ellipsis_max_span: 0
metadata:
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
references:
- https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints
- https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785
- https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators
category: security
technology:
- spring
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
spring-actuator-non-health-enabled.properties
# ok: spring-actuator-dangerous-endpoints-enabled
foo=bar
# ruleid: spring-actuator-dangerous-endpoints-enabled
management.endpoints.web.exposure.include=health,prometheus,logfile,env
# ok: spring-actuator-dangerous-endpoints-enabled
management.endpoints.web.exposure.include=health
# ok: spring-actuator-dangerous-endpoints-enabled
management.endpoints.web.exposure.include=*Short Link: https://sg.run/5g23