Skip to content

Springboot Actuator Shutdown Misconfiguration

Description

Spring Boot Actuator is a sub-project of Spring Boot that provides production-ready features to help you monitor and manage your application. Spring Boot Actuator exposes sensitive information about your application such as environment variables, configuration properties, and more. This information can be used by attackers to gain insights into your application and potentially exploit vulnerabilities.

Remediation

It is recommended to secure the Spring Boot Actuator endpoints by restricting access to authorized users only. You can achieve this by configuring security settings in your application properties or by using Spring Security to define access rules for the Actuator endpoints. It is strongly recommended to check the access rules of all the endpoints documented in the following link : https://docs.spring.io/spring-boot/reference/actuator/endpoints.html

Configuration

Identifier: configuration/springboot_actuator_shutdown

Examples

Ignore this check

checks:
  configuration/springboot_actuator_shutdown:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023

  • pci: 6.5.10

  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.12.6
  • nist: SP800-123
  • fedramp: SI-7

Classification

  • CWE: 284

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVSS_SCORE: 7.5