org.springframework.boot:spring-boot-actuator-autoconfigure 3.4.13

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.boot:spring-boot-actuator-autoconfigure package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Authentication Bypass Using an Alternate Path or Channel Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending requests to these specific paths. Note: This is only exploitable if all of the following conditions are met: the application declares a custom health group (here `"mygroup"`), with `management.endpoint.health.group.mygroup.include` this health group is exposed under an additional path on the main server, like `management.endpoint.health.group.mygroup.additional-path=server:/healthz` the application contributes an application endpoint that requires authentication under a subpath, like `"/healthz/admin"` Mapping application endpoints under infrastructure endpoints like Actuators is not recommended by the Spring team and doing so is likely to interfere with other configurations and cause behavior problems. This setup is expected to rarely occur in production. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.springframework.boot:spring-boot-actuator-autoconfigure` to version 3.5.12, 4.0.4 or higher.	[3.4.0,3.5.12)[4.0.0-M1,4.0.4)
C Authentication Bypass Using an Alternate Path or Channel Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFoundry Actuator path. Note: This is only exploitable if all of the following conditions are met: the application is a web application the application contributes an application endpoint that requires authentication under a subpath, like `"/cloudfoundryapplication/admin"` How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.springframework.boot:spring-boot-actuator-autoconfigure` to version 3.5.12, 4.0.4 or higher.	[,3.5.12)[4.0.0-M1,4.0.4)

Vulnerability

Vulnerable Version

Authentication Bypass Using an Alternate Path or Channel

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending requests to these specific paths.

Note:

This is only exploitable if all of the following conditions are met:

the application declares a custom health group (here "mygroup"), with management.endpoint.health.group.mygroup.include
this health group is exposed under an additional path on the main server, like management.endpoint.health.group.mygroup.additional-path=server:/healthz
the application contributes an application endpoint that requires authentication under a subpath, like "/healthz/admin"

Mapping application endpoints under infrastructure endpoints like Actuators is not recommended by the Spring team and doing so is likely to interfere with other configurations and cause behavior problems. This setup is expected to rarely occur in production.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 3.5.12, 4.0.4 or higher.

[3.4.0,3.5.12)[4.0.0-M1,4.0.4)

Authentication Bypass Using an Alternate Path or Channel

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFoundry Actuator path.

Note:

This is only exploitable if all of the following conditions are met:

the application is a web application
the application contributes an application endpoint that requires authentication under a subpath, like "/cloudfoundryapplication/admin"

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 3.5.12, 4.0.4 or higher.

[,3.5.12)[4.0.0-M1,4.0.4)

org.springframework.boot:spring-boot-actuator-autoconfigure@3.4.13

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically