All Vulnerability Reports

CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script




Spring by Pivotal


Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.


Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Spring Boot
    • 1.5.0 - 1.5.9
    • 2.0.0.M1 - 2.0.0.M7
  • Older unmaintained versions of Spring Boot were not analyzed and may be impacted.


Users of affected versions should apply the following mitigation:

  • 1.5.x users should update to 1.5.10
  • 2.0.x pre-release users should update to 2.0.0.RC1


This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.


2018-01-30: Initial vulnerability report published