Exposure of Sensitive Information to an Unauthorized Actor
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The Spring Boot Actuator endpoints are fully exposed without authentication, allowing anyone to access sensitive operational data and controls. This misconfiguration can reveal critical details like environment variables, logs, and even memory dumps.
Impact#
Attackers can remotely access sensitive information and internal application data, potentially exposing secrets, configuration, or user data. They may also leverage exposed endpoints to further compromise, disrupt, or control the application, leading to data breaches or service outages.