Pivotal Software Spring Boot

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking

CVE-2022-27772 7.8 - High - March 30, 2022

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer

Exposure of Resource to Wrong Sphere

Element Plug-in for vCenter Server incorporates SpringBoot Framework

CVE-2021-26987 9.8 - Critical - March 15, 2021

Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service

CVE-2018-1196 5.9 - Medium - March 19, 2018

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

insecure temporary file