Spring Boot Actuator HikariCP Remote Code Execution

critical Web App Scanning Plugin ID 113198

Language:

Synopsis

Spring Boot Actuator HikariCP Remote Code Execution

Description

The Spring Boot framework is one of the most popular Java-based microservice frameworks that helps developers quickly and easily deploy Java applications. When the endpoint actuator is accessible with the env and restart methods, it is possible for an unauthenticated remote attacker to obtain a Remote Code Execution through default HikariCP database connection pool and a common Java development database like the H2 Database Engine.

Solution

If the actuator endpoint is not needed it should be disabled via 'management.security.enabled: true' Or specify only the endpoints needed with 'management.endpoints.web.exposure.include'. If the actuator is required it should be secured using Spring Security.

See Also

https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database

Plugin Details

Severity: Critical

ID: 113198

Type: remote

Family: Component Vulnerability

Published: 3/24/2022

Updated: 3/13/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS Score Source: Tenable

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CWE: 94

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6

WASC: OS Commanding

CAPEC: 242, 35, 77

DISA STIG: APSC-DV-002510, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5

PCI-DSS: 3.2-6.2, 3.2-6.5.1