Exposed Spring Boot actuators in configuration file¶
ID: java/spring-boot-exposed-actuators-config
Kind: problem
Security severity: 6.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-200
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.
Recommendation¶
Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring Security, which secures actuators by default, or define a custom security configuration.
Example¶
The following examples show application.properties configurations that expose sensitive actuator endpoints.
# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default
# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
management.security.enabled=false
# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
management.endpoints.web.exposure.include=*
# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
management.endpoints.web.exposure.include=*
The below configurations ensure that sensitive actuator endpoints are not exposed.
# safe configuration (Spring Boot 1.0 - 1.4)
management.security.enabled=true
# safe configuration (Spring Boot 1.5+)
management.security.enabled=true
# safe configuration (Spring Boot 2.x): exposes health and info only by default
management.endpoints.web.exposure.include=health,info
# safe configuration (Spring Boot 3.x): exposes health only by default
management.endpoints.web.exposure.include=health
To use Spring Security, which secures actuators by default, add the spring-boot-starter-security dependency in your Maven pom.xml file.
...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
...
References¶
- Spring Boot Reference Documentation: Endpoints. 
- HackerOne Report: Spring Actuator endpoints publicly available, leading to account takeover 
- Common Weakness Enumeration: CWE-200.