CVE-2022-27772: 
Java vulnerability analysis and mitigation

Spring Boot versions prior to v2.2.11.RELEASE were vulnerable to temporary directory hijacking. This vulnerability specifically impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method, which is used to create work directories for embedded web servers like Tomcat and Jetty. The vulnerability was discovered and disclosed in March 2022 (GitHub Advisory, NVD).

The vulnerability exists due to a race condition in the createTempDir method. The method creates a temporary file, deletes it, and then attempts to create a directory with the same name. However, File.mkdir returns false when it fails to create a directory without throwing an exception, allowing an attacker to exploit the time window between file deletion and directory creation. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, a local attacker with permission to write in the temporary directory could completely take over the application, leading to local privilege escalation. The directory contains sensitive configuration files, JSP/class files, and other critical application components. This vulnerability primarily impacts Unix-like systems and older versions of Mac OSX and Windows that share the system temporary directory between all users (GitHub Advisory).

The vulnerability was fixed in Spring Boot version v2.2.11.RELEASE. For users unable to upgrade, a workaround is available by setting the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user (GitHub Advisory).