Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Spring Boot Misconfiguration: Admin MBean enabled - Vulnerability Database

Spring Boot Misconfiguration: Admin MBean enabled

Description

This Spring Boot application has the Admin MBean feature enabled through the spring.application.admin.enabled property. The Admin MBean exposes administrative operations via JMX (Java Management Extensions), allowing management and control of the application at runtime. When enabled in production environments, this feature creates an unnecessary attack surface that can be exploited by unauthorized users.

Remediation

Disable the Admin MBean feature in production environments by setting the spring.application.admin.enabled property to false. This should be configured in your Spring Boot application properties file:

For application.properties:

spring.application.admin.enabled=false
For application.yml:
spring:
  application:
    admin:
      enabled: false
If administrative features are required for production monitoring, implement them through secure, authenticated endpoints with proper access controls rather than relying on JMX MBeans. Additionally, ensure that JMX access is restricted to localhost only and protected by authentication if it must remain enabled.

References

Appendix A. Common application properties

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Unrestricted access to Haproxy Data Plane API High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Debugger Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

Medium

Classification

CWE-16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration