Hi everybody,
we recently observed an issue with our Spring Boot application using Spring Security and Spring Actuator. When requesting the application on a path with double slash ("//") we did not receive a 400 response code and did not see the error log The request was rejected because the URL contained a potentially malicious String "//".
Removing Spring Actuator from our dependencies fixed the issue.
You can checkout the small demo project here. Notice the ApiTest.kt which runs fine without and fails with the Actuator package installed.
Is there some configuration we're missing or did we do something wrong?
Thanks and best regards, Florian
Comment From: wilkinsona
Duplicates https://github.com/spring-projects/spring-security/issues/12548.
In the future, if you believe you have found a situation where Spring Security is not effective and may be allowing access to something when it should not, please considering reporting the problem privately as requested in the issue template:
- Security Vulnerability STOP!! Please don't raise security vulnerabilities here. Head over to https://spring.io/security-policy to learn how to disclose them responsibly.
Doing so allows us to provide a fix before the vulnerability becomes public, minimising the chances of it being exploited.