5.9
CVE-2018-1196
- EPSS 0.6%
- Published 19.03.2018 18:29:00
- Last modified 21.11.2024 03:59:22
- Source security_alert@emc.com
- Teams watchlist Login
- Open Login
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
Data is provided by the National Vulnerability Database (NVD)
VMware ≫ Spring Boot Version <= 1.5.9
VMware ≫ Spring Boot Version2.0.0 Updatemilestone1
VMware ≫ Spring Boot Version2.0.0 Updatemilestone2
VMware ≫ Spring Boot Version2.0.0 Updatemilestone3
VMware ≫ Spring Boot Version2.0.0 Updatemilestone4
VMware ≫ Spring Boot Version2.0.0 Updatemilestone5
VMware ≫ Spring Boot Version2.0.0 Updatemilestone6
VMware ≫ Spring Boot Version2.0.0 Updatemilestone7
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.6% | 0.683 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-59 Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.