CVE-2026-40977 - Medium - CVE-2026-40977: PID file write follows symlinks at predictable default path
Spring
·
2026-04-23
·
via Spring Security Advisories
Description When an application is configured to use ApplicationPidFileWriter , a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.13 3.4.0 - 3.4.15 3.3.0 - 3.3.18 2.7.0 - 2.7.32 Versions that are no longer supported are also affected. Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 4.0.x 4.0.6 OSS 3.5.x 3.5.14 OSS 3.4.x 3.4.16 Enterprise Support Only 3.3.x 3.3.19 Enterprise Support Only 2.7.x 2.7.33 Enterprise Support Only No further mitigation steps are necessary. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H&version=3.1 History 2026-04-23: Initial vulnerability report published.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。