CVE-2018-1196
N/A
N/A
Summary
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Dell EMC | Spring Boot | 1.5.0 - 1.5.9 | affected |
| Dell EMC | Spring Boot | 2.0.0.M1 - 2.0.0.M7 | affected |
Weaknesses
- privilege escalation
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.