CVE-2022-27772 — Resource Exposure in Vmware Spring Boot

CWE-668 — Resource Exposure CWE-377 — Insecure Temporary File CWE-379 — Creation of Temporary File in Directory with Insecure Permissions4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.4%

top 36.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Boot

Timeline

PublishedMar 30

Latest updateJul 11

Description

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDvmware/spring_boot< 2.2.11

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot↗2022-07-11

▶

OSV

Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot↗2022-07-11

▶

CVEList

CVE-2022-27772: spring-boot versions prior to version v2↗2022-03-30

▶