CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
36.3%
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
Vendor | Product | Version | CPE |
---|---|---|---|
vmware | spring_boot | * | cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone1:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone2:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone3:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone4:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone5:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone6:*:*:*:*:*:* |
vmware | spring_boot | 2.0.0 | cpe:2.3:a:vmware:spring_boot:2.0.0:milestone7:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
36.3%