zlt2000 Microservices-Platform Spring Actuator Interface Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in zlt2000 microservices-platform versions prior to 6.0.0. This issue arises from the Spring Actuator Interface, specifically in the file '/actuator', which lacks proper access controls. As a result, any user can remotely access and retrieve various sensitive data, including configurations and environment variables, from the affected microservices.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive information from the affected microservices, potentially including confidential configurations and environment variables.

Reproduction

The vulnerability can be reproduced by sending a request to the '/actuator' endpoint of any microservice running on the affected platform. This can be done using a web browser or a tool like curl, targeting the appropriate port where the microservice is running.

Remediation

It is recommended to apply restrictive firewall rules to block unauthorized access to the '/actuator' endpoints. Additionally, consider updating to a version of zlt2000 microservices-platform that includes the necessary access controls for Spring Actuator interfaces.