Skip to content

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: main
Choose a base branch
from
Draft

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

wants to merge 19 commits into from
+701 −233

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Jul 9, 2025
edited
Loading

This PR promotes java/insecure-spring-actuator-config from experimental as java/spring-boot-exposed-actuators-config (original PR: #5384).

Changes from the experimental query:

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2025
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp

Exposed Spring Boot actuators in configuration file

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring Security, which secures actuators by default, or define a custom security configuration.

Example

The following examples show application.properties configurations that expose sensitive actuator endpoints.

# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default

# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
management.security.enabled=false

# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
management.endpoints.web.exposure.include=*

# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
management.endpoints.web.exposure.include=*

The below configurations ensure that sensitive actuator endpoints are not exposed.

# safe configuration (Spring Boot 1.0 - 1.4)
management.security.enabled=true

# safe configuration (Spring Boot 1.5+)
management.security.enabled=true

# safe configuration (Spring Boot 2.x): exposes health and info only by default
management.endpoints.web.exposure.include=health,info

# safe configuration (Spring Boot 3.x): exposes health only by default
management.endpoints.web.exposure.include=health

To use Spring Security, which secures actuators by default, add the spring-boot-starter-security dependency in your Maven pom.xml file.

...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
...

References

@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch 3 times, most recently from d8bbc2b to cde1939 Compare July 15, 2025 14:19
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c0680d1 to 9ac212d Compare July 16, 2025 01:57
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 9ac212d to 8dd8c17 Compare July 16, 2025 19:43
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 8dd8c17 to c31fb17 Compare July 17, 2025 21:55
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c31fb17 to 6a6b794 Compare July 17, 2025 22:29
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 6a6b794 to 56f667d Compare July 17, 2025 23:23
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 56f667d to 7250265 Compare July 18, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jcogs33
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy