Title: [Java] CWE-016: Query to detect insecure configuration of Spring Boot Actuator · Issue #310 · github/securitylab · GitHub
Open Graph Title: [Java] CWE-016: Query to detect insecure configuration of Spring Boot Actuator · Issue #310 · github/securitylab
X Title: [Java] CWE-016: Query to detect insecure configuration of Spring Boot Actuator · Issue #310 · github/securitylab
Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information you think will help GitHub assess the imp...
Open Graph Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information y...
X Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information y...
Opengraph URL: https://github.com/github/securitylab/issues/310
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Java] CWE-016: Query to detect insecure configuration of Spring Boot Actuator ","articleBody":"## CVE ID(s)\r\n\r\n*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*\r\n\r\n## Report\r\n\r\n*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.*\r\n\r\nSpring Boot is a popular framework that facilitates the development of stand-alone applications and micro services. Spring Boot Actuator helps to expose production-ready support features against Spring Boot applications.\r\n\r\nEndpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even remote code execution vulnerability.\r\n\r\nRather than programmatically permitting endpoint requests or enforcing access control, frequently developers simply leave management endpoints publicly accessible in the application configuration file \u003ccode\u003eapplication.properties\u003c/code\u003e without enforcing any access control through Spring Security.\r\n\r\nThis is a very common issue and is also one of the highest rewarded vulnerabilities on the HackerOne platform. The query detects this issue in Spring Boot projects with Maven and application.properties, which is the most widely adopted deployment scenario.\r\n\r\nRelevant PR: [#5384](https://github.com/github/codeql/pull/5384)\r\n\r\n- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*\r\n\r\n## Result(s)\r\n\r\n*Provide at least one useful result found by your query, on some revision of a real project.*\r\n\r\n- [Service Integration bora App](https://github.com/JeffMSantos/bora)\r\n","author":{"url":"https://github.com/luchua-bc","@type":"Person","name":"luchua-bc"},"datePublished":"2021-03-11T14:10:48.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":7},"url":"https://github.com/310/securitylab/issues/310"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:be89592d-4ed9-2234-3047-47a8397e8fe3 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 9E8A:4FAAE:219CCA5:30474FD:6A4FDB69 |
| html-safe-nonce | ddaddf4017b761275f74e93d1227f37bd11dbd8ef66e9d86a94d4e3ac6c00291 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5RThBOjRGQUFFOjIxOUNDQTU6MzA0NzRGRDo2QTRGREI2OSIsInZpc2l0b3JfaWQiOiIxMzQ4OTQ1NjE3NjY2MTY5NzA2IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | bc069cfb0b39f54bb1815131bc95b5397042f20eae23f6f39684334256db6d2f |
| hovercard-subject-tag | issue:829188944 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/310/issue_layout |
| twitter:image | https://opengraph.githubassets.com/37e832a5818669ee0c15743ec8d4cea68a8ff06ee0971253697e5ef677ba68a1/github/securitylab/issues/310 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/37e832a5818669ee0c15743ec8d4cea68a8ff06ee0971253697e5ef677ba68a1/github/securitylab/issues/310 |
| og:image:alt | CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information y... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | luchua-bc |
| hostname | github.com |
| expected-hostname | github.com |
| None | 19b98c3d9767bb8a56238a89ff8401d1cbdf3bc5c353799aacf49fe6c76b4b7c |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 142593e66413bbae27fd485859993597d5a3b104 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width