Janek Bettinger

**Name of the Vulnerable Software and Affected Versions** Spring Boot version 2.7.x **Description** The issue arises when `EndpointRequest.to()` creates a matcher for null/** if the actuator endpoint, for which the `EndpointRequest` has been created, is disabled or not exposed. An application may be affected if it uses Spring Security, `EndpointRequest.to()` has been used in a Spring Security chain configuration, the referenced endpoint is disabled or not exposed via web, and the application handles requests to /null, which needs protection. **Recommendations** For Spring Boot version 2.7.x, consider disabling the `EndpointRequest.to()` function until a patch is available. Restrict access to the vulnerable endpoint to minimize the risk of exploitation. Avoid using the /null path in the affected API endpoint until the issue is resolved. Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability.