Spring Boot Actuator full exposure in properties
Description
Spring Boot Actuator is configured to expose all endpoints using `management.endpoints.web.exposure.include=*`. This setting can expose sensitive endpoints like `/env`, `/logfile`, or `/heapdump`, especially if authentication and authorization are not enforced.
Examples
Insecure Code
java
management.endpoints.web.exposure.include=*Secure Code
java
management.endpoints.web.exposure.include=health,info,metricsRemediation
Avoid using wildcard `*` in production environments, explicitly list only necessary endpoints like `health`, `info`, or `metrics`, and apply Spring Security or other access control to secure exposed endpoints
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0221 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-497 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Spring Actuator, Access Control |
| OWASP | A01:2021-Broken Access Control |