Vulnerability Details : CVE-2018-1196
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
Products affected by CVE-2018-1196
- cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_boot:2.0.0:milestone1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1196
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1196
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2018-1196
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1196
-
https://pivotal.io/security/cve-2018-1196
CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script | Security | PivotalVendor Advisory
Jump to