CVE-2022-27772 – Spring Boot versions before 2.2.11.RELEASE are ... (How to Fix)

Q: What is the severity of CVE-2022-27772?

CVE-2022-27772 has a CVSS score of 7.8 (HIGH). Spring Boot versions before 2.2.11.RELEASE are vulnerable to temporary directory hijacking in the createTempDir method. This allows attackers to manipulate temporary directories used by the application, potentially leading to arbitrary file writes or code execution. Only unsupported versions are affected.

📋 TL;DR

Spring Boot versions before 2.2.11.RELEASE are vulnerable to temporary directory hijacking in the createTempDir method. This allows attackers to manipulate temporary directories used by the application, potentially leading to arbitrary file writes or code execution. Only unsupported versions are affected.

💻 Affected Systems

Products:

Spring Boot

Versions: All versions prior to 2.2.11.RELEASE

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects products/versions no longer supported by maintainer. Requires local access or ability to influence temporary directory creation.

📦 What is this software?

Spring Boot by Vmware

View all CVEs affecting Spring Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could write arbitrary files to the system, potentially leading to remote code execution, privilege escalation, or complete system compromise.

🟠

Likely Case

Local attackers could manipulate temporary files to influence application behavior, potentially leading to data corruption or limited code execution.

🟢

If Mitigated

With proper file permissions and isolation, impact is limited to the application's own temporary directory scope.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access or ability to manipulate temporary directory creation. Public advisory includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.11.RELEASE

Vendor Advisory: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85

Restart Required: Yes

Instructions:

1. Upgrade Spring Boot to version 2.2.11.RELEASE or later. 2. Update dependencies in pom.xml or build.gradle. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Set custom temp directory

all

Configure Spring Boot to use a secure, dedicated temporary directory with proper permissions

java -Djava.io.tmpdir=/secure/temp/dir -jar application.jar

Use container isolation

linux

Run application in container with restricted filesystem access

docker run --read-only -v /tmp:/tmp:ro your-application

🧯 If You Can't Patch

Implement strict file permissions on temporary directories (chmod 700)
Run application with minimal privileges and filesystem isolation

🔍 How to Verify

Check if Vulnerable:

Check Spring Boot version in pom.xml, build.gradle, or via 'java -jar application.jar --version'

Check Version:

grep -i 'spring-boot' pom.xml | grep version

Verify Fix Applied:

Verify version is 2.2.11.RELEASE or later and test temporary directory creation

📡 Detection & Monitoring

Log Indicators:

Unauthorized file creation in temp directories
Unexpected process execution from temp locations

Network Indicators:

None - local vulnerability

SIEM Query:

source="*spring-boot*" AND (event="file_create" OR event="process_exec") AND path="*/tmp/*"

📊 Metadata

CVE ID: CVE-2022-27772

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-668

Published: March 30, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85 Exploit,Patch,Third Party Advisory
https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27772, you might also want to check these: