[Issue]: Spring Boot Actuatot heap dump

[mobbast]

Describe the Issue

Using the call below is it possible to get a Spring Boot Actuatot heap dump.

A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.

Vulnerable URL: https://hyperwallet-prod.yoox.com:443/actuator/heapdump
Curl Command: curl -X 'GET' -d '' -H 'Host: hyperwallet-prod.yoox.com:443' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36' 'https://hyperwallet-prod.yoox.com:443/actuator/heapdump'

The urgency is not only due to the very critical nature of the vulnerability when accessing a dump of the JVM memory (which, as said, would contain sensitive information), but also to two main reasons urging us to make patching as faster as possible:

externally exposed application presence of particularly sensitive information, since the application handles transactions

These are the two main reasons that make it necessary to mitigate the vulnerability as quickly as possible, or to release a patch.”

Environment

Live/Production

Version

No response

Expected Behavior

Disable access to /actuator/heapdump for the URL identified.

Actual Behavior

No response

Steps to Reproduce

No response

Pre-conditions

No response

Relevant log output

No response

[jmlezcano]

Hi @mobbast,

Thanks for reaching out. I hope you are doing well!

Usually there are certains endpoints in applications that should have their access secured so that external access to these endpoints is not possible. The actuator heap dump endpoint is enabled by default so that users of the connector can access it to retrieve the information belonging to that endpoint, and shouldn't be exposed to external access due to the reasons you mentioned.

Is there a specific reason why this endpoint access has not being restricted in your application? If you have restrictions in place for certain endpoints, could this endpoint have been missed (and others)?