Spring · Spring Boot · CVE-2018-1196
**Name of the Vulnerable Software and Affected Versions**
Spring Boot versions 1.5.9 and earlier
Spring Boot versions 2.0.0.M1 through 2.0.0.M7
**Description**
The issue allows the `run user` to overwrite and take ownership of any file on the same system due to a symlink attack. This can happen when the application is installed as a service and the `run user` has shell access to the server. Applications not installed as a service or not using the embedded launch script are not affected.
**Recommendations**
For Spring Boot versions 1.5.9 and earlier, update to a version later than 1.5.9 to resolve the issue.
For Spring Boot versions 2.0.0.M1 through 2.0.0.M7, update to a version later than 2.0.0.M7 to resolve the issue.
As a temporary workaround, consider restricting shell access to the server for the `run user` to minimize the risk of exploitation.