• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Exposed Spring Boot actuators in configuration file

ID: java/spring-boot-exposed-actuators-config
Kind: problem
Security severity: 6.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-200
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring Security, which secures actuators by default, or define a custom security configuration.

Example

The following examples show application.properties configurations that expose sensitive actuator endpoints.

# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default

# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
management.security.enabled=false

# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
management.endpoints.web.exposure.include=*

# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
management.endpoints.web.exposure.include=*

The below configurations ensure that sensitive actuator endpoints are not exposed.

# safe configuration (Spring Boot 1.0 - 1.4)
management.security.enabled=true

# safe configuration (Spring Boot 1.5+)
management.security.enabled=true

# safe configuration (Spring Boot 2.x): exposes health and info only by default
management.endpoints.web.exposure.include=health,info

# safe configuration (Spring Boot 3.x): exposes health only by default
management.endpoints.web.exposure.include=health

To use Spring Security, which secures actuators by default, add the spring-boot-starter-security dependency in your Maven pom.xml file.

...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
...

References

• Spring Boot Reference Documentation: Endpoints.

• HackerOne Report: Spring Actuator endpoints publicly available, leading to account takeover

• Common Weakness Enumeration: CWE-200.

• © GitHub, Inc.
• Terms
• Privacy