We found results for “”
WS-2016-7111
Good to know:
Date: December 6, 2016
In Spring Boot, versions 1.0.0.RELEASE through 1.4.7.RELEASE are vulnerable to Improper Access Control. As part of the actuator feature, a Spring Boot app registers endpoints which can help developers to monitor their app while running. However, affected versions of Spring Boot permit unauthenticated users to access these endpoints, which result in system information disclosure as well as leakage of logs and session information, which can lead to session takeover. Other impacts include application denial-of-service, modification of application's environment and configuration and SQL injection. When certain libraries are on the target application's classpath, this can even lead to remote-code-execution.
Language: Java
Severity Score
Severity Score
Weakness Type (CWE)
Improper Authorization
CWE-285Top Fix
Upgrade Version
Upgrade to version org.springframework.boot:spring-boot-actuator:1.5.0.RELEASE
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |