Security Test: Springboot Actuator Shutdown Misconfiguration¶
Description¶
Default Severity:
Spring Boot Actuator includes management endpoints, one of which lets you shut the application down gracefully. The issue arises when this shutdown endpoint—or other sensitive ones that expose internal details—is unintentionally left accessible over the network in a production environment. When that happens, an attacker could trigger a shutdown, effectively causing a denial of service. It’s a reminder that default configurations or misconfigured security rules can expose dangerous functionality, putting your application at risk of disruption or even further exploitation if other sensitive endpoints are similarly exposed.
Configuration¶
Identifier:
configuration/springboot_actuator_shutdown
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.12.6 |
| NIST | SP800-123 |
| FedRAMP | SI-7 |
| CWE | 284 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVSS Score | 7.5 |