漏洞描述
Jolokia是一款开源产品,用于为JMX(Java Management Extensions)技术提供HTTPAPI接口。其中,该产品提供了一个API,用于调用在服务器上注册的MBean并读/写其属性。JMX技术用于管理和监视设备、应用程序和网络驱动的服务。Spring Boot Actuator如果使用了Jolokia库,url的根目录下会存在''/jolokia''端点。jolokia允许使用http的方式对已注册的MBean进行访问,导致存在任意代码执行漏洞
SpringBoot jolokia logback 任意代码执行漏洞
PoC代码
暂无相关漏洞推荐
- springboot-actuator-unauth: Springboot Actuator Unauth
- POC CVE-2025-46822: Java-springboot-codebase 1.1 - Arbitrary File Read
- POC springboot-h2-db-rce: Spring Boot H2 Database RCE
- POC hikvision-env: Hikvision Springboot Env Actuator - Detect
- POC jolokia-mbean-search: Jolokia - Searching MBeans
- POC springboot-autoconfig: Detect Springboot autoconfig Actuator
- POC springboot-beans: Detect Springboot Beans Actuator
- POC springboot-caches: Springboot Actuator Caches
- POC springboot-conditions: Detect Springboot Conditions Actuator
- POC springboot-configprops: Detect Springboot Configprops Actuator
- POC springboot-dump: Detect Springboot Dump Actuator
- POC springboot-env: Springboot Env Actuator - Detect
- POC springboot-features: Detects Springboot Features Actuator