In Spring Boot, versions 1.0.0.RELEASE through 1.4.7.RELEASE are vulnerable to Improper Access Control. As part of the actuator feature, a Spring Boot app registers endpoints which can help developers to monitor their app while running. However, affected versions of Spring Boot permit unauthenticated users to access these endpoints, which result in system information disclosure as well as leakage of logs and session information, which can lead to session takeover. Other impacts include application denial-of-service, modification of application's environment and configuration and SQL injection. When certain libraries are on the target application's classpath, this can even lead to remote-code-execution.