Security Test: Springboot Actuator Disclosure of Heap Dump¶
Description¶
Default Severity:
The vulnerability happens when the actuator endpoint for generating heap dumps is left open and accessible without proper authorization. A heap dump is basically a snapshot of all the data in a running application, which means it can contain sensitive details like passwords, class names, and configuration settings. If an attacker gets access to this information, they could uncover secrets about your application's structure and behavior, making it easier to craft targeted attacks. This issue usually arises from misconfigurations or neglecting to secure these debug and management endpoints. If left unchecked, it exposes your application to significant risks including data breaches and unauthorized system manipulation.
Configuration¶
Identifier:
information_disclosure/springboot_actuator_heapdump
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.12.6 |
| NIST | SP800-123 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 9.8 |