Summary #

Invicti detected that the Spring Boot web application is using Spring Boot Actuator endpoints requiring no authentication. Spring Boot Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information.


This web application is configured with management.security.enabled=false that disables security (authentication) for all Spring Boot Actuator endpoints.

Impact #

An attacker can access all the Spring Boot Actuator endpoints without authentication. Some Actuator endpoints like the heapdump endpoint disclose very sensitive information such as the heap dump.

Actions To Take #

It's recommended to enable security for Spring Boot Actuator endpoints using the following configuration (in the Spring properties file):

management.security.enabled=true
Classifications #
CWE-16; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo