org.springframework.boot:spring-boot-actuator 2.3.12.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.boot:spring-boot-actuator package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Authentication Bypass Using an Alternate Path or Channel Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFoundry Actuator path. Note: This is only exploitable if all of the following conditions are met: the application is a web application the application contributes an application endpoint that requires authentication under a subpath, like `"/cloudfoundryapplication/admin"` How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.springframework.boot:spring-boot-actuator` to version 3.5.12, 4.0.4 or higher.	[,3.5.12)[4.0.0-M1,4.0.4)
M Denial of Service (DoS) Affected versions of this package are vulnerable to Denial of Service (DoS) via HTTP requests, when both of these conditions are true: Spring MVC or Spring WebFlux is in use. `org.springframework.boot:spring-boot-actuator` is on the classpath. How to fix Denial of Service (DoS)? Upgrade `org.springframework.boot:spring-boot-actuator` to version 2.7.18, 3.0.13, 3.1.6 or higher.	[,2.7.18)[3.0.0,3.0.13)[3.1.0,3.1.6)

Vulnerability

Vulnerable Version

Authentication Bypass Using an Alternate Path or Channel

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFoundry Actuator path.

Note:

This is only exploitable if all of the following conditions are met:

the application is a web application
the application contributes an application endpoint that requires authentication under a subpath, like "/cloudfoundryapplication/admin"

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.springframework.boot:spring-boot-actuator to version 3.5.12, 4.0.4 or higher.

[,3.5.12)[4.0.0-M1,4.0.4)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via HTTP requests, when both of these conditions are true:

Spring MVC or Spring WebFlux is in use.
org.springframework.boot:spring-boot-actuator is on the classpath.

How to fix Denial of Service (DoS)?

Upgrade org.springframework.boot:spring-boot-actuator to version 2.7.18, 3.0.13, 3.1.6 or higher.

[,2.7.18)[3.0.0,3.0.13)[3.1.0,3.1.6)

org.springframework.boot:spring-boot-actuator@2.3.12.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically