Improper Input Validation

Summary

The "EndpointRequest.to()" creates a matcher for "null/**" if the actuator endpoint, for which the "EndpointRequest" has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: *You use Spring Security * "EndpointRequest.to()" has been used in a Spring Security chain configuration * The endpoint which "EndpointRequest" references is disabled or not exposed via web * Your application handles requests to "/null" and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use "EndpointRequest.to()" * The endpoint which "EndpointRequest.to()" refers to is enabled and is exposed * Your application does not handle requests to "/null" or this path does not need protection. The issue affects org.springframework.boot:spring-boot-actuator-autoconfigure versions through 2.7.24.2, 3.0.0 through 3.1.15.2, 3.2.0 through 3.2.13.2, 3.3.0 through 3.3.10, and 3.4.0 through 3.4.4.