User-writeable configuration file /usr/lib/tmpfiles.d/tomcat.conf allows for escalation of priviliges
Description
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | < 8.0.53 | 8.0.53 |
org.apache.tomcat:tomcatMaven | >= 9.0.0, < 9.0.35 | 9.0.35 |
Affected products
39- osv-coords25 versionspkg:apk/chainguard/tomcat-8.5.87pkg:apk/chainguard/tomcat-8.5.87-jamf-compatpkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcatpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 0+ 24 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.0.35-3.57.3
- (no CPE)range: < 8.0.53
- (no CPE)range: < 9.0.35-lp151.3.21.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 9.0.35-3.57.3
- (no CPE)range: < 9.0.35-3.57.3
- (no CPE)range: < 9.0.35-4.35.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 9.0.35-3.39.1
- (no CPE)range: < 9.0.35-3.39.1
- (no CPE)range: < 9.0.35-3.57.3
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 9.0.35-3.39.1
- (no CPE)range: < 9.0.35-3.39.1
- (no CPE)range: < 9.0.35-3.57.3
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- (no CPE)range: < 8.0.53-29.32.1
- Range: tomcat
tomcat+ 6 more
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
tomcat+ 2 more
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
tomcat+ 2 more
- (no CPE)range: tomcat
- (no CPE)range: tomcat
- (no CPE)range: tomcat
Patches
Vulnerability mechanics
References
12- lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-gc58-v8h3-x2grghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8022ghsaADVISORY
- bugzilla.suse.com/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7@%3Cusers.tomcat.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.