Security Test: Springboot Actuator Disclosure of Trace¶
Description¶
Default Severity:
Spring Boot Actuator can expose sensitive details about your application if it's not properly secured. By default, certain endpoints might share information like environment settings, configuration details, and traces of recent requests that include internal workings of your app. If attackers get access to this data, they could learn about system details and potentially identify weaknesses to exploit. Developers often forget to restrict these endpoints in production settings, leaving their systems open to risk.
Configuration¶
Identifier:
information_disclosure/springboot_actuator_trace
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.12.6 |
| NIST | SP800-123 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 9.8 |