Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the run_user to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the run_user requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spring_boot | Vmware | * | 1.5.9 (including) |
| Spring_boot | Vmware | 2.0.0-milestone1 (including) | 2.0.0-milestone1 (including) |
| Spring_boot | Vmware | 2.0.0-milestone2 (including) | 2.0.0-milestone2 (including) |
| Spring_boot | Vmware | 2.0.0-milestone3 (including) | 2.0.0-milestone3 (including) |
| Spring_boot | Vmware | 2.0.0-milestone4 (including) | 2.0.0-milestone4 (including) |
| Spring_boot | Vmware | 2.0.0-milestone5 (including) | 2.0.0-milestone5 (including) |
| Spring_boot | Vmware | 2.0.0-milestone6 (including) | 2.0.0-milestone6 (including) |
| Spring_boot | Vmware | 2.0.0-milestone7 (including) | 2.0.0-milestone7 (including) |