org.springframework.boot:spring-boot-actuator-autoconfigure 2.6.8 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.boot:spring-boot-actuator-autoconfigure package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Access Restriction Bypass Affected versions of this package are vulnerable to Access Restriction Bypass due to improper implementation of wildcard pattern matching. An application is vulnerable when all of the following are true: Users have code that can handle requests matching `/cloudfoundryapplication/`. Typically, this will be if there is a catch-all request mapping which matches `/` The application is deployed to Cloud Foundry. Note: Applications using Spring Cloud Config Server can handle requests to `/cloudfoundryapplication/` by default and can be vulnerable if deployed to Cloud Foundry. An application is not vulnerable** if any of the following is true: The application is not deployed to Cloud Foundry Users have disabled Cloud Foundry actuator endpoints with `management.cloudfoundry.enabled` set to `false` The application does not have handler mappings that can handle requests to `/cloudfoundryapplication/**` How to fix Access Restriction Bypass? Upgrade `org.springframework.boot:spring-boot-actuator-autoconfigure` to version 2.5.15, 2.6.15, 2.7.11, 3.0.6 or higher.	[,2.5.15)[2.6.0,2.6.15)[2.7.0,2.7.11)[3.0.0,3.0.6)

Vulnerability

Vulnerable Version

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass due to improper implementation of wildcard pattern matching.

An application is vulnerable when all of the following are true:

Users have code that can handle requests matching /cloudfoundryapplication/**. Typically, this will be if there is a catch-all request mapping which matches /**
The application is deployed to Cloud Foundry.

Note: Applications using Spring Cloud Config Server can handle requests to /cloudfoundryapplication/** by default and can be vulnerable if deployed to Cloud Foundry.

An application is not vulnerable if any of the following is true:

The application is not deployed to Cloud Foundry
Users have disabled Cloud Foundry actuator endpoints with management.cloudfoundry.enabled set to false
The application does not have handler mappings that can handle requests to /cloudfoundryapplication/**

How to fix Access Restriction Bypass?

Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 2.5.15, 2.6.15, 2.7.11, 3.0.6 or higher.

[,2.5.15)[2.6.0,2.6.15)[2.7.0,2.7.11)[3.0.0,3.0.6)

org.springframework.boot:spring-boot-actuator-autoconfigure@2.6.8 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?