CVE-2018-1196
Description
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-bootMaven | >= 1.5.0, < 1.5.10 | 1.5.10 |
Affected products
2- Dell EMC/Spring Bootv5Range: 1.5.0 - 1.5.9
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-xx65-cc7g-9pfpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1196ghsaADVISORY
- pivotal.io/security/cve-2018-1196nvdVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.