Security Test: Springboot Actuator Disclosure of Environment¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
The issue arises when Spring Boot apps leave physical keys open by exposing an actuator endpoint that shows sensitive details about the environment and configuration. This can give attackers insights into your system, such as internal settings and credentials, which they might use to launch further attacks. Developers often overlook restricting access to these endpoints or turning them off in production, and that oversight can lead to information leaks that jeopardize the entire application.
Configuration¶
Identifier:
information_disclosure/springboot_actuator_env
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.5 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |