Check out the full blog for detailed analysis, technical examples, and tips on securing your Spring Boot Actuator deployments 🪄: www.wiz.io/blog/spring-...

Moreover, I’ve come across these misconfigs in prod envs - this is far from hypothetical.
Exposed secrets like cloud keys or DB credentials are practically gift-wrapped for attackers. And since using valid creds doesn’t raise alarms, these threats quietly slip under the radar.

Exposed env endpoint – the following example shows exposed env endpoint leaking DB login credentials and endpoint information:

Even without CVE-2022-22947, exposing the gateway endpoint leads to SSRF by design, as it allows creating new routes. This enables attackers to access for example - cloud metadata services (IMDSv1), and other sensitive resources.
Here's an SSRF example with IMDSv1 configured VM:

Spring Cloud Gateway versions 3.1.0, 3.0.0–3.0.6, and older are vulnerable to RCE (CVE-2022-22947). According to Wiz data, 28% of cloud environments using Spring Cloud Gateway are at risk. Exploitation requires misconfiguration exposing the gateway endpoint.

The heapdump endpoint is designed to capture the current state of the Java heap - if sensitive information is loaded into the memory of a Java application’s JVM during its runtime, these might be included in the heap dump. Here's an example of a heap dump showing a leaked JWT.

Spring Boot Actuator is a key observability tool for Java apps, found in 60% of cloud envs. When misconfigured to expose sensitive endpoints it al leak data (API key, tokens, passwords) or even allow RCE. Watch out for exposed endpoints like: heapdump, env and gateway