Halo Information Disclosure Vulnerability in Spring Actuator Component

A vulnerability exists in Halo versions prior to 2.21.10, specifically within the Spring Actuator component's Configuration Handler. This issue arises from improper endpoint configurations that expose sensitive information through multiple Actuator endpoints, such as env, heapdump, and logfile. The vulnerability allows for information disclosure and can be exploited remotely, although it requires a high level of complexity.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information, which could include environmental details, memory usage data, and log files, depending on the exposed Actuator endpoints.

Reproduction

The vulnerability can be reproduced by deploying Halo version 2.21.10 or earlier with the default Docker Compose configuration. After logging into the application, accessing the /actuator endpoint reveals the exposure of sensitive information through various endpoints that should not be publicly accessible.

Remediation

To address this vulnerability, it is recommended to disable all unnecessary sensitive Actuator endpoints and configure Spring Boot to only allow the minimal set of endpoints required for business operations.