Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
JavaMelody publicly accessible - Vulnerability Database

JavaMelody publicly accessible

Description

JavaMelody is a monitoring tool for Java and Java EE applications that provides detailed performance metrics, statistics, and system information. An accessible JavaMelody monitoring interface has been detected on this web application without apparent access restrictions.

While the monitoring dashboard typically does not display sensitive credentials directly, it exposes detailed application internals, system configuration, performance data, and architectural information that should be restricted to authorized personnel only. Some application servers (Jenkins, JIRA, Confluence, Bamboo, Liferay) automatically secure JavaMelody through built-in role-based access controls, but standalone deployments require manual security configuration.

Remediation

Implement access controls to restrict the JavaMelody monitoring interface to authorized administrators only. The recommended approach depends on your deployment method:

1. For servlet-based applications: Configure security constraints in your web.xml file to require authentication:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>JavaMelody</web-resource-name>
    <url-pattern>/monitoring</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

2. For Spring Boot applications: Add security configuration to restrict the monitoring endpoint:
@Configuration
public class SecurityConfig {
  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) {
    http.authorizeHttpRequests()
      .requestMatchers("/monitoring/**").hasRole("ADMIN")
      .and().httpBasic();
    return http.build();
  }
}

3. Alternative approaches: Use reverse proxy authentication (nginx, Apache), network-level restrictions (firewall rules, IP whitelisting), or disable JavaMelody entirely in production environments if monitoring is not required.

Verify that access controls are properly enforced by attempting to access the monitoring interface without authentication. Consult the JavaMelody security documentation for deployment-specific guidance.

References

JavaMelody Security

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Web Cache Poisoning through HTTP/2 pseudo-headers High
Common tags: Configuration
qdPM Information Disclosure High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

Medium

Classification

CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration