Exrick xboot Information Disclosure Vulnerability in Spring Boot Admin and Actuator
Vulnerability
A vulnerability allowing unauthenticated access to sensitive information has been identified in Exrick xboot versions through 3.3.4. This issue affects the Spring Boot Admin and Spring Actuator components, leading to unauthorized exposure of server configuration details and environment variables. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive server information, including configuration details and environment variables, which could be leveraged for further attacks or to compromise the server's integrity.
Reproduction
The vulnerability can be reproduced by sending a request to the '/xboot/admin/wallboard' or '/xboot/actuator' endpoints on a server running Exrick xboot version 3.3.4 or prior. No authentication is required to access these endpoints.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.