Security Test: Springboot Actuator Disclosure of Thread Dump¶
Description¶
Default Severity:
Sometimes developers forget to properly secure built-in management features provided by frameworks like Spring Boot. One risk is the thread dump endpoint in Spring Boot Actuator. If this endpoint is left open or weakly protected, attackers could access detailed info on how the application’s threads are running, like which methods are being executed and where potential bottlenecks or issues are occurring. This data can help bad actors figure out how to exploit hidden weaknesses in the app or learn sensitive internal mechanics that they shouldn’t know. A common mistake is relying on default settings that might expose this sensitive info in production, so it's important to limit access or disable these debug endpoints when you're running in a live environment.
Configuration¶
Identifier:
information_disclosure/springboot_actuator_dump
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.12.6 |
| NIST | SP800-123 |
| FedRAMP | AC-6 |
| CWE | 215 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
| CVSS Score | 5.3 |