microservices-platform icon indicating copy to clipboard operation
microservices-platform copied to clipboard
verified publisher icon zlt2000

Sensitive Information Disclosure

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

In the latest version 6.0.0, all microservices' Spring Actuator interfaces have no access control whatsoever, allowing any user to access and obtain various configurations, environment variables, and other sensitive information of the corresponding services.

POC

http://localhost:{port}/actuator

such as:
http://localhost:9900/actuator
http://localhost:7200/actuator
Image Image Image

NinjaGPT avatar Jul 26 '25 01:07 NinjaGPT