Spring Actuator Information Leak

Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.

Exposed Spring Actuator endpoints leak sensitive operational information including application configuration, environment variables, health metrics, and internal system details. Attackers can extract database connection strings, API credentials, internal URLs, framework versions, and system architecture information. This reconnaissance data enables targeted attacks, helps identify vulnerable components, and may directly expose credentials or tokens that provide immediate system access.

Disable unnecessary Spring Actuator endpoints in production environments. For required endpoints, implement authentication and authorization to restrict access to administrative users only. Configure management.endpoints.web.exposure.include to explicitly list only needed endpoints, and use management.endpoints.web.base-path to move actuators to a non-standard path protected by network-level controls.