๐ U.S. Dept Of Defense: springboot actuator is leaking internals at โโโโโโโโโโ
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Proof of Concept If you go to https://โโโโโโโโโ/actuator you'll get a complete overview of all the endpoints that are accessable (Suggestion: Use a Firefox Browser if possible, its json representation is well formed and the links are clickable ) โโโโโโโโโโ Impact Information Disclosure https://โโโโ/actuator/beans Displays a complete list of all the Spring beans in your application. https://โโโโโโโโโโ/actuator/caches Exposes available caches. For โโโ it is empty https://โโโโโโโ/actuator/health The actual status of the actuator is displayed status "UP" components diskSpace status "UP" details total 1167859712 free 1167810560 threshold 10485760 exists true ping status "UP" https://โโโ/actuator/info version and built time are displayed build version "1.2.1-SNAPSHOT" artifact "unregister-file-endpoint" name "UnregisterFileEndpoint" group "com.hexusfed" time "2022-06-30T14:44:23.879Z" https://โโโโโโโโโโ/actuator/conditions Shows the conditions that were evaluated on configuration and auto-configuration classes and the reasons why they did or did not match. https://โโโโโ/actuator/configprops Displays a collated list of all configuration properties. https://โโโโโ/actuator/env contains internal paths, ports, version numbers etc. https://โโโ/actuator/loggers configuration of loggers in the application https://โโโ/actuator/heapdump (CRITICAL) Downloads a complete heap dump file (about 30 MBs). This file has a PHD-format and... ...