Springboot Actuator Disclosure of Heap Dump
Description
Spring Boot Actuator is a sub-project of Spring Boot that provides production-ready features to help you monitor and manage your application. Spring Boot Actuator exposes sensitive information about your application such as environment variables, configuration properties, and more. This information can be used by attackers to gain insights into your application and potentially exploit vulnerabilities.
Remediation
It is recommended to secure the Spring Boot Actuator endpoints by restricting access to authorized users only. You can achieve this by configuring security settings in your application properties or by using Spring Security to define access rules for the Actuator endpoints. It is strongly recommended to check the access rules of all the endpoints documented in the following link : https://docs.spring.io/spring-boot/reference/actuator/endpoints.html
Configuration
Identifier:
information_disclosure/springboot_actuator_heapdump
Examples
Ignore this check
checks:
information_disclosure/springboot_actuator_heapdump:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API8:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.12.6
nist: SP800-123
fedramp: AC-6
Classification
- CWE: 200
Score
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSS_SCORE: 9.8