Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental#20006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
jcogs33 wants to merge19 commits intogithub:main
base:main
Choose a base branch
Loading
fromjcogs33:jcogs33/java/insecure-spring-actuator-config-promotion

Conversation

jcogs33
Copy link
Contributor

@jcogs33jcogs33 commentedJul 9, 2025
edited
Loading

This PR promotesjava/insecure-spring-actuator-config from experimental asjava/spring-boot-exposed-actuators-config (original PR:#5384).

Changes from the experimental query:

@github-actionsGitHub Actions
Copy link
Contributor

github-actionsbot commentedJul 9, 2025
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp

Exposed Spring Boot actuators in configuration file

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring Security, which secures actuators by default, or define a custom security configuration.

Example

The following examples showapplication.properties configurations that expose sensitive actuator endpoints.

# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default# vulnerable configuration (Spring Boot 1.5): false value exposes endpointsmanagement.security.enabled=false# vulnerable configuration (Spring Boot 2.x): exposes all endpointsmanagement.endpoints.web.exposure.include=*# vulnerable configuration (Spring Boot 3.x): exposes all endpointsmanagement.endpoints.web.exposure.include=*

The below configurations ensure that sensitive actuator endpoints are not exposed.

# safe configuration (Spring Boot 1.0 - 1.4)management.security.enabled=true# safe configuration (Spring Boot 1.5+)management.security.enabled=true# safe configuration (Spring Boot 2.x): exposes health and info only by defaultmanagement.endpoints.web.exposure.include=health,info# safe configuration (Spring Boot 3.x): exposes health only by defaultmanagement.endpoints.web.exposure.include=health

To use Spring Security, which secures actuators by default, add thespring-boot-starter-security dependency in your Mavenpom.xml file.

...        <dependency>            <groupId>org.springframework.boot</groupId>            <artifactId>spring-boot-starter-actuator</artifactId>        </dependency><!-- GOOD: Enable Spring Security-->        <dependency>            <groupId>org.springframework.boot</groupId>            <artifactId>spring-boot-starter-security</artifactId>        </dependency>...

References

@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch 3 times, most recently fromd8bbc2b tocde1939CompareJuly 15, 2025 14:19
@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch fromc0680d1 to9ac212dCompareJuly 16, 2025 01:57
@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch from9ac212d to8dd8c17CompareJuly 16, 2025 19:43
@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch from8dd8c17 toc31fb17CompareJuly 17, 2025 21:55
@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch fromc31fb17 to6a6b794CompareJuly 17, 2025 22:29
@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch from6a6b794 to56f667dCompareJuly 17, 2025 23:23
@jcogs33jcogs33force-pushed thejcogs33/java/insecure-spring-actuator-config-promotion branch from56f667d to7250265CompareJuly 18, 2025 21:50
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

Copilot code reviewCopilotAwaiting requested review from CopilotCopilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 participant
@jcogs33
[8]ページ先頭
©2009-2025 Movatter.jp