Spring Boot Temporary Directory Hijacking Local Privilege Escalation (CVE-2022-27772)

Critical Vulnerability Information Vulnerability Title Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot Affected Scope Affected Versions: < v2.2.11.RELEASE Fixed Version: v2.2.11.RELEASE Severity CVSS v3 Base Metrics: - Attack Vector: Local - Attack Complexity: High - Required Privileges: Low - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: High - Availability: High CVSS v3.1 Score: 7.9/10 Vulnerability Description Spring Boot versions prior to v2.2.11.RELEASE are affected by a temporary directory hijacking vulnerability. This vulnerability impacts the method. The affected method is used to create working directories for embedded web servers (such as Tomcat and Jetty). If a local attacker gains write access to the directory, they can fully take over the application (i.e., achieve local privilege escalation). Vulnerability Location This vulnerability affects the following source code location: spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165 Root Cause The vulnerability exists because returns when directory creation fails, but does not throw an exception. This creates a race condition. Affected Systems This vulnerability affects Unix-like systems, as well as very old versions of Mac OS X and Windows, due to their shared system temporary directories. Fix The vulnerability was fixed in version v2.2.11.RELEASE and later. Temporary Mitigation Setting the system environment variable to a directory owned exclusively by the executing user can mitigate this vulnerability across all operating systems. Related Links CVE ID: CVE-2022-27772 Weaknesses: CWE-377, CWE-379

Goal Reached Thanks to every supporter — we hit 100%!

Spring Boot Temporary Directory Hijacking Local Privilege Escalation (CVE-2022-27772)

More from this source