{"containers":{"cna":{"affected":[{"product":"SUSE Enterprise Storage 5","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 12-SP2-BCL","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 12-SP2-LTSS","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 12-SP3-BCL","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 12-SP3-LTSS","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 12-SP4","vendor":"SUSE","versions":[{"lessThan":"9.0.35-3.39.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 12-SP5","vendor":"SUSE","versions":[{"lessThan":"9.0.35-3.39.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server 15-LTSS","vendor":"SUSE","versions":[{"lessThan":"9.0.35-3.57.3","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server for SAP 12-SP2","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server for SAP 12-SP3","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE Linux Enterprise Server for SAP 15","vendor":"SUSE","versions":[{"lessThan":"9.0.35-3.57.3","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE OpenStack Cloud 7","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE OpenStack Cloud 8","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]},{"product":"SUSE OpenStack Cloud Crowbar 8","vendor":"SUSE","versions":[{"lessThan":"8.0.53-29.32.1","status":"affected","version":"tomcat","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Matthias Gerstner of SUSE"}],"datePublic":"2020-06-26T00:00:00.000Z","descriptions":[{"lang":"en","value":"A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-276","description":"CWE-276: Incorrect Default Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-03-07T14:06:28.000Z","orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1172405"},{"name":"openSUSE-SU-2020:0911","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"},{"name":"[tomcat-users] 20200902 Re: regarding CVE-2020-8022 applicable to tomcat 8.5.57","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E"},{"name":"[tomcat-users] 20200902 regarding CVE-2020-8022 applicable to tomcat 8.5.57","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E"},{"name":"[axis-java-dev] 20210228 axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E"},{"name":"[axis-java-dev] 20210307 Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E"}],"source":{"advisory":"https://bugzilla.suse.com/show_bug.cgi?id=1172405","defect":["1172405"],"discovery":"INTERNAL"},"title":"User-writeable configuration file /usr/lib/tmpfiles.d/tomcat.conf allows for escalation of priviliges","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@suse.com","DATE_PUBLIC":"2020-06-26T00:00:00.000Z","ID":"CVE-2020-8022","STATE":"PUBLIC","TITLE":"User-writeable configuration file /usr/lib/tmpfiles.d/tomcat.conf allows for escalation of priviliges"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SUSE Enterprise Storage 5","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server 12-SP2-BCL","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server 12-SP2-LTSS","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server 12-SP3-BCL","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server 12-SP3-LTSS","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server 12-SP4","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"9.0.35-3.39.1"}]}},{"product_name":"SUSE Linux Enterprise Server 12-SP5","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"9.0.35-3.39.1"}]}},{"product_name":"SUSE Linux Enterprise Server 15-LTSS","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"9.0.35-3.57.3"}]}},{"product_name":"SUSE Linux Enterprise Server for SAP 12-SP2","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server for SAP 12-SP3","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE Linux Enterprise Server for SAP 15","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"9.0.35-3.57.3"}]}},{"product_name":"SUSE OpenStack Cloud 7","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE OpenStack Cloud 8","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}},{"product_name":"SUSE OpenStack Cloud Crowbar 8","version":{"version_data":[{"version_affected":"<","version_name":"tomcat","version_value":"8.0.53-29.32.1"}]}}]},"vendor_name":"SUSE"}]}},"credit":[{"lang":"eng","value":"Matthias Gerstner of SUSE"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-276: Incorrect Default Permissions"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.suse.com/show_bug.cgi?id=1172405","refsource":"CONFIRM","url":"https://bugzilla.suse.com/show_bug.cgi?id=1172405"},{"name":"openSUSE-SU-2020:0911","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"},{"name":"[tomcat-users] 20200902 Re: regarding CVE-2020-8022 applicable to tomcat 8.5.57","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7@%3Cusers.tomcat.apache.org%3E"},{"name":"[tomcat-users] 20200902 regarding CVE-2020-8022 applicable to tomcat 8.5.57","refsource":"MLIST","url":"https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E"},{"name":"[axis-java-dev] 20210228 axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928@%3Cjava-dev.axis.apache.org%3E"},{"name":"[axis-java-dev] 20210307 Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be@%3Cjava-dev.axis.apache.org%3E"}]},"source":{"advisory":"https://bugzilla.suse.com/show_bug.cgi?id=1172405","defect":["1172405"],"discovery":"INTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T09:48:25.548Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1172405"},{"name":"openSUSE-SU-2020:0911","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"},{"name":"[tomcat-users] 20200902 Re: regarding CVE-2020-8022 applicable to tomcat 8.5.57","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E"},{"name":"[tomcat-users] 20200902 regarding CVE-2020-8022 applicable to tomcat 8.5.57","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E"},{"name":"[axis-java-dev] 20210228 axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E"},{"name":"[axis-java-dev] 20210307 Re: axis2 1.7.9 is exposed to CVE-2020-8022 via tomcat dependency","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E"}]}]},"cveMetadata":{"assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","assignerShortName":"suse","cveId":"CVE-2020-8022","datePublished":"2020-06-29T08:20:12.619Z","dateReserved":"2020-01-27T00:00:00.000Z","dateUpdated":"2024-09-17T00:16:49.694Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}