Spring Actuator endpoints publicly available and broken authentication

Due to insufficient access control, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. @kazan71p identified two highly sensitive applications leaking information through these endpoints. The LINE Security team shutdown the secondary endpoints just as it was discovered by the reporter, as part of our incident response process. After further investigation, we also found that both applications had the same issue with their authentication functionality, due to using the same library. The issue was that old tokens were not expiring and being properly invalidated, allowing for replay attacks that should not have been possible. The applications were highly sensitive in nature, but due to not being able to retrieve specific data, we decided to award a bounty slightly below the maximum reward for this type of issue. We want to thank @kazan71p for his cooperation and contribution to our program!