Exposure of Sensitive Information to an Unauthorized Actor
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
All Spring Boot Actuator endpoints are exposed publicly without authentication, making sensitive information and system controls accessible to anyone. This misconfiguration can allow unauthorized users to access endpoints like /actuator/env, /actuator/logfile, and /actuator/heapdump.
Impact#
Attackers could retrieve sensitive configuration data, view logs, download memory dumps, or manipulate application internals. This can lead to data leaks, exposure of secrets, or enable further attacks, potentially compromising the entire application and underlying infrastructure.