Skip to content

Security Test: Springboot Actuator Disclosure of Environment

Description

Default Severity:

The issue arises when Spring Boot apps leave physical keys open by exposing an actuator endpoint that shows sensitive details about the environment and configuration. This can give attackers insights into your system, such as internal settings and credentials, which they might use to launch further attacks. Developers often overlook restricting access to these endpoints or turning them off in production, and that oversight can lead to information leaks that jeopardize the entire application.

Configuration

Identifier: information_disclosure/springboot_actuator_env

Examples

All configuration available:

checks:
  information_disclosure/springboot_actuator_env:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API7:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.5
GDPR Article-32
SOC2 CC6
PSD2 Article-95
ISO 27001 A.14.2
NIST SP800-53
FedRAMP AC-6
CWE 200
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
CVSS Score 5.1