Skip to content

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

wants to merge 17 commits into from
+546 −233

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Jul 9, 2025

DRAFT

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2025
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp

Exposed Spring Boot actuators in configuration file

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. Use Spring Security, which secures actuators by default, by configuring spring-boot-starter-security in your application. Alternatively, you can define a custom security configuration which only allows users with certain roles to access the endpoints.

Example

The following examples show application.properties configurations that expose sensitive actuator endpoints in different Spring Boot versions.

# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes actuators by default

# vulnerable configuration (Spring Boot 1.5+): requires value false to expose sensitive actuators
management.security.enabled=false

# vulnerable configuration (Spring Boot 2.x): exposes health and info only by default
# here overridden to expose all endpoints
management.endpoints.web.exposure.include=*

# vulnerable configuration (Spring Boot 3.x): exposes health only by default
# here overridden to expose all endpoints
management.endpoints.web.exposure.include=*

The below configurations ensure that sensitive actuator endpoints are not exposed.

# safe configuration (Spring Boot 1.0 - 1.4): exposes actuators by default
management.security.enabled=true

# safe configuration (Spring Boot 1.5+): requires value false to expose sensitive actuators
management.security.enabled=true

# safe configuration (Spring Boot 2.x): exposes health and info only by default
management.endpoints.web.exposure.include=health,info

# safe configuration (Spring Boot 3.x): exposes health only by default
management.endpoints.web.exposure.include=health

To use Spring Security, which secures actuators by default, add the spring-boot-starter-security dependency in your Maven pom.xml file.

...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
...

References

@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch 3 times, most recently from d8bbc2b to cde1939 Compare July 15, 2025 14:19
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c0680d1 to 9ac212d Compare July 16, 2025 01:57
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 9ac212d to 8dd8c17 Compare July 16, 2025 19:43
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 8dd8c17 to c31fb17 Compare July 17, 2025 21:55
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c31fb17 to 6a6b794 Compare July 17, 2025 22:29
Jami Cogswell added 15 commits July 17, 2025 19:22
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 6a6b794 to 56f667d Compare July 17, 2025 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jcogs33