CVE-2018-1196

Name of the Vulnerable Software and Affected Versions Spring Boot versions 1.5.9 and earlier Spring Boot versions 2.0.0.M1 through 2.0.0.M7

Description The issue allows the run user to overwrite and take ownership of any file on the same system due to a symlink attack. This can happen when the application is installed as a service and the run user has shell access to the server. Applications not installed as a service or not using the embedded launch script are not affected.

Recommendations For Spring Boot versions 1.5.9 and earlier, update to a version later than 1.5.9 to resolve the issue. For Spring Boot versions 2.0.0.M1 through 2.0.0.M7, update to a version later than 2.0.0.M7 to resolve the issue. As a temporary workaround, consider restricting shell access to the server for the run user to minimize the risk of exploitation.