CVE-2020-8022 - Vulnerability Details - OpenCVE

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00187.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache Subscribe	Tomcat Subscribe
Opensuse Subscribe	Leap Subscribe
Suse Subscribe	Enterprise Storage Subscribe Linux Enterprise Server Subscribe Openstack Cloud Subscribe Openstack Cloud Crowbar Subscribe

Configuration 1 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:suse:enterprise_storage:5.0:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:ltss:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:ltss:*:*:*

Configuration 6 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:*:sap:*:*

Configuration 7 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:*:sap:*:*

Configuration 8 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:suse:openstack_cloud:7.0:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:suse:openstack_cloud:8.0:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:suse:openstack_cloud_crowbar:8.0:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp4:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:sap:*:*

Configuration 14 [-]

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-1008	A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
Github GHSA	GHSA-gc58-v8h3-x2gr	Incorrect Default Permissions in Apache Tomcat

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html
https://bugzilla.suse.com/show_bug.cgi?id=1172405
https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2020-8022
https://www.cve.org/CVERecord?id=CVE-2020-8022

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2020-06-29T08:20:12.619393Z

Updated: 2024-09-17T00:16:49.694Z

Reserved: 2020-01-27T00:00:00

Link: CVE-2020-8022

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-06-29T09:15:11.307

Modified: 2024-11-21T05:38:14.210

Link: CVE-2020-8022

Redhat

Severity : Moderate

Publid Date: 2020-06-29T00:00:00Z

Links: CVE-2020-8022 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-276

{"containers": {"cna": {"affected": [{"product": "SUSE Enterprise Storage 5", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 12-SP2-BCL", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 12-SP2-LTSS", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 12-SP3-BCL", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 12-SP3-LTSS", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 12-SP4", "vendor": "SUSE", "versions": [{"lessThan": "9.0.35-3.39.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 12-SP5", "vendor": "SUSE", "versions": [{"lessThan": "9.0.35-3.39.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 15-LTSS", "vendor": "SUSE", "versions": [{"lessThan": "9.0.35-3.57.3", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server for SAP 12-SP2", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server for SAP 12-SP3", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server for SAP 15", "vendor": "SUSE", "versions": [{"lessThan": "9.0.35-3.57.3", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE OpenStack Cloud 7", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE OpenStack Cloud 8", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}, {"product": "SUSE OpenStack Cloud Crowbar 8", "vendor": "SUSE", "versions": [{"lessThan": "8.0.53-29.32.1", "status": "affected", "version": "tomcat", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Matthias Gerstner of SUSE"}], "datePublic": "2020-06-26T00:00:00", "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-07T14:06:28", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172405"}, {"name": "openSUSE-SU-2020:0911", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"}, {"name": "[tomcat-users] 20200902 Re: regarding CVE-2020-8022 applicable to tomcat 8.5.57", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E"}, {"name": "[tomcat-users] 20200902 regarding CVE-2020-8022 applicable to tomcat 8.5.57", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E"}, {"name": "[axis-java-dev] 20210228 axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E"}, {"name": "[axis-java-dev] 20210307 Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172405", "defect": ["1172405"], "discovery": "INTERNAL"}, "title": "User-writeable configuration file /usr/lib/tmpfiles.d/tomcat.conf allows for escalation of priviliges", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2020-06-26T00:00:00.000Z", "ID": "CVE-2020-8022", "STATE": "PUBLIC", "TITLE": "User-writeable configuration file /usr/lib/tmpfiles.d/tomcat.conf allows for escalation of priviliges"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SUSE Enterprise Storage 5", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 12-SP2-BCL", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 12-SP2-LTSS", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 12-SP3-BCL", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 12-SP3-LTSS", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 12-SP4", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "9.0.35-3.39.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 12-SP5", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "9.0.35-3.39.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 15-LTSS", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "9.0.35-3.57.3"}]}}, {"product_name": "SUSE Linux Enterprise Server for SAP 12-SP2", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server for SAP 12-SP3", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE Linux Enterprise Server for SAP 15", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "9.0.35-3.57.3"}]}}, {"product_name": "SUSE OpenStack Cloud 7", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE OpenStack Cloud 8", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}, {"product_name": "SUSE OpenStack Cloud Crowbar 8", "version": {"version_data": [{"version_affected": "<", "version_name": "tomcat", "version_value": "8.0.53-29.32.1"}]}}]}, "vendor_name": "SUSE"}]}}, "credit": [{"lang": "eng", "value": "Matthias Gerstner of SUSE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276: Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1172405", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172405"}, {"name": "openSUSE-SU-2020:0911", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"}, {"name": "[tomcat-users] 20200902 Re: regarding CVE-2020-8022 applicable to tomcat 8.5.57", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7@%3Cusers.tomcat.apache.org%3E"}, {"name": "[tomcat-users] 20200902 regarding CVE-2020-8022 applicable to tomcat 8.5.57", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E"}, {"name": "[axis-java-dev] 20210228 axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928@%3Cjava-dev.axis.apache.org%3E"}, {"name": "[axis-java-dev] 20210307 Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be@%3Cjava-dev.axis.apache.org%3E"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172405", "defect": ["1172405"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.548Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172405"}, {"name": "openSUSE-SU-2020:0911", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"}, {"name": "[tomcat-users] 20200902 Re: regarding CVE-2020-8022 applicable to tomcat 8.5.57", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E"}, {"name": "[tomcat-users] 20200902 regarding CVE-2020-8022 applicable to tomcat 8.5.57", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E"}, {"name": "[axis-java-dev] 20210228 axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E"}, {"name": "[axis-java-dev] 20210307 Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2020-8022", "datePublished": "2020-06-29T08:20:12.619393Z", "dateReserved": "2020-01-27T00:00:00", "dateUpdated": "2024-09-17T00:16:49.694Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:suse:enterprise_storage:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "CB13FD29-BB94-4B33-870F-7EC956E87515", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:*:*:*:*", "matchCriteriaId": "F84B2729-7B52-4505-9656-1BD31B980705", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:ltss:*:*:*", "matchCriteriaId": "32C12523-2500-44D0-97EE-E740BD3E61B3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:*:*:*:*", "matchCriteriaId": "631BB7F0-5F27-4244-8E72-428DA824C75B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:ltss:*:*:*", "matchCriteriaId": "C6622CD4-DF4B-4064-BAEB-5E382C4B05C8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:*:sap:*:*", "matchCriteriaId": "3691A00A-D075-437B-A818-C7C26EE73532", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:*:sap:*:*", "matchCriteriaId": "16729D9C-DC05-41BD-9B32-682983190CE0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:suse:openstack_cloud:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A11C023-22C5-409C-9818-2C91D51AE01B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:suse:openstack_cloud:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C3BEB21-4080-4258-B95C-562D717AED0B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B0095DD-61C0-4FC9-A466-8335D4AF1AEF", "versionEndExcluding": "8.0.53-29.32.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:suse:openstack_cloud_crowbar:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "1675CBE5-44D3-4326-AE8B-EEB9E25D783A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "D89AB32C-1920-4936-9904-4E64F174B0E4", "versionEndExcluding": "9.0.35-3.39.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp4:*:*:*:*:*:*", "matchCriteriaId": "55E8AB88-2347-497B-91DE-AF64E08ED8F3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "D89AB32C-1920-4936-9904-4E64F174B0E4", "versionEndExcluding": "9.0.35-3.39.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:*:*:*:*", "matchCriteriaId": "29AE5751-3EA5-4056-8E79-16D8DCD248EF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FC1168B-713C-413E-B518-0D1E98052E46", "versionEndExcluding": "9.0.35-3.57.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:sap:*:*", "matchCriteriaId": "C665A768-DBDA-4197-9159-A2791E98A84F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1."}, {"lang": "es", "value": "Una vulnerabilidad de Permisos Predeterminados Incorrectos en el paquete tomcat en SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8, permite a atacantes locales escalar del grupo tomcat a root. Este problema afecta a: tomcat de SUSE Enterprise Storage 5 versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server 12-SP2-BCL versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server 12-SP2-LTSS versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server 12-SP3-BCL versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server 12-SP3-LTSS versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server 12-SP4 versiones anteriores a 9.0.35-3.39.1. tomcat de SUSE Linux Enterprise Server 12-SP5 versiones anteriores a 9.0.35-3.39.1. tomcat de SUSE Linux Enterprise Server 15-LTSS versiones anteriores a 9.0.35-3.57.3. tomcat de SUSE Linux Enterprise Server for SAP 12-SP2 versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server for SAP 12-SP3 versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE Linux Enterprise Server for SAP 15 versiones anteriores a 9.0.35-3.57.3. tomcat de SUSE OpenStack Cloud 7 versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE OpenStack Cloud 8 versiones anteriores a 8.0.53-29.32.1. tomcat de SUSE OpenStack Cloud Crowbar 8 versiones anteriores a 8.0.53-29.32.1"}], "id": "CVE-2020-8022", "lastModified": "2024-11-21T05:38:14.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "meissner@suse.de", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-29T09:15:11.307", "references": [{"source": "meissner@suse.de", "tags": ["Mailing List", "Vendor Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"}, {"source": "meissner@suse.de", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172405"}, {"source": "meissner@suse.de", "url": "https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E"}, {"source": "meissner@suse.de", "url": "https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E"}, {"source": "meissner@suse.de", "url": "https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E"}, {"source": "meissner@suse.de", "url": "https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172405"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "meissner@suse.de", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "tomcat: /usr/lib/tmpfiles.d/tomcat.conf is group-writable", "id": "1852863", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1852863"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-276", "details": ["A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1."], "name": "CVE-2020-8022", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2020-06-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8022\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8022"], "statement": "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of RHOSP14 and is only receiving security fixes for Important and Critical flaws.", "threat_severity": "Moderate"}