CVE-2018-1196

19.03.2018, 18:29

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
dell	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 68%

Vendor	Product	Version
vmware	spring_boot	𝑥 ≤ 1.5.9
vmware	spring_boot	2.0.0:milestone1
vmware	spring_boot	2.0.0:milestone2
vmware	spring_boot	2.0.0:milestone3
vmware	spring_boot	2.0.0:milestone4
vmware	spring_boot	2.0.0:milestone5
vmware	spring_boot	2.0.0:milestone6
vmware	spring_boot	2.0.0:milestone7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://pivotal.io/security/cve-2018-1196