Spring Boot Actuator Public Health Endpoint Leak
CVE-2024-9798 Published on October 10, 2024
Health endpoint offers list of onboarded services to unauthenticated users
The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers.
Weakness Type
Cleartext Storage of Sensitive Information
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Products Associated with CVE-2024-9798
stack.watch emails you whenever new vulnerabilities are published in Linux Foundation Api Mediation Layer or Linux Foundation Zowe Api Mediation Layer. Just hit a watch button to start following.
Affected Versions
Open Mainframe Project Zowe:- Version 2.0.0 and below 2.18.0 is affected.
- Version 1.0.0 and below 1.28.8 is affected.
- Version 2.0.0 and below 2.18.0 is affected.
- Version 1.0.0 and below 1.28.8 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.