Description
Actuator endpoints allow you to monitor and interact with your Spring application. Spring Boot includes a number of built-in endpoints and you can also add your own. For example the health endpoint provides basic application health information.
The following endpoints are available:
- /autoconfig - Displays an auto-configuration report showing all auto-configuration candidates and the reason why they 'were' or 'were not' applied.
- /beans - Displays a complete list of all the Spring beans in your application.
- /configprops - Displays a collated list of all @ConfigurationProperties.
- /dump - Performs a thread dump.
- /env - Exposes properties from Spring's ConfigurableEnvironment.
- /health - Shows application health information (a simple 'status' when accessed over an unauthenticated connection or full message details when authenticated).
- /info - Displays arbitrary application info.
- /metrics - Shows 'metrics' information for the current application.
- /mappings - Displays a collated list of all @RequestMapping paths.
- /shutdown - Allows the application to be gracefully shutdown (not enabled by default).
- /trace - Displays trace information (by default the last few HTTP requests).
Remediation
In production, it is recommended to disable access to these endpoints.
References
Related Vulnerabilities
Web application default/weak credentials
WordPress Plugin Import all XML, CSV & TXT into WordPress Information Disclosure (3.6.74)
WordPress Plugin Media Library Assistant Information Disclosure (3.00)
Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28
WordPress Plugin WP PHP widget Information Disclosure (1.0.2)