Summary

Acunetix 360 detected that the Spring Boot web application is configured with Admin MBean enabled. Spring Boot allows developers to enable admin-related features for the application by specifying the spring.application.admin.enabled property.

Impact

Depending on the configuration of the MBean, it might be possible for a remote attacker to manage the application remotely, including shutting it down without any authentication.

Actions To Take

In production websites it's recommended to disable the Admin MBean using the following configuration (in the Spring properties file):

spring.application.admin.enabled=false

Severity

Medium

Classification

CWE-16 OWASP 2013-A5 OWASP 2017-A6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N