ZAP – Spring Actuator Information Leak

Details
Alert ID	40042
Alert Type	Active
Status	release
Risk	Medium
CWE	215
WASC	13
Technologies Targeted	Language / Java Language / Java / Spring
Tags	CWE-215 OWASP_2017_A05 OWASP_2021_A01 WSTG-V42-CONF-05
More Info	Scan Rule Help

Summary

Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.

Solution

Disable the Health Actuators and other actuators, or restrict them to administrative users.

Other Info

References

https://docs.spring.io/spring-boot/docs/current/actuator-api/htmlsingle/#overview

Code

org/zaproxy/zap/extension/ascanrules/SpringActuatorScanRule.java