Lucene search

K

SuseCVE-2020-8022

HistoryJun 29, 2020 - 9:15 a.m.

CVE-2020-8022

2020-06-2909:15:11

CWE-276

suse

web.nvd.nist.gov

741

6

cve-2020-8022

vulnerability

incorrect default permissions

tomcat

suse enterprise storage

suse linux enterprise server

suse openstack cloud

suse openstack cloud crowbar

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0

Percentile

5.1%

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

Affected configurations

Nvd

Node

apachetomcatRange<8.0.53-29.32.1

AND

suseenterprise_storageMatch5.0

Node

apachetomcatRange<8.0.53-29.32.1

AND

suselinux_enterprise_serverMatch12sp2

Node

apachetomcatRange<8.0.53-29.32.1

AND

suselinux_enterprise_serverMatch12sp2ltss

Node

apachetomcatRange<8.0.53-29.32.1

AND

suselinux_enterprise_serverMatch12sp3

Node

apachetomcatRange<8.0.53-29.32.1

AND

suselinux_enterprise_serverMatch12sp3ltss

Node

apachetomcatRange<8.0.53-29.32.1

AND

suselinux_enterprise_serverMatch12sp2sap

Node

apachetomcatRange<8.0.53-29.32.1

AND

suselinux_enterprise_serverMatch12sp3sap

Node

apachetomcatRange<8.0.53-29.32.1

AND

suseopenstack_cloudMatch7.0

Node

apachetomcatRange<8.0.53-29.32.1

AND

suseopenstack_cloudMatch8.0

Node

apachetomcatRange<8.0.53-29.32.1

AND

suseopenstack_cloud_crowbarMatch8.0

Node

apachetomcatRange<9.0.35-3.39.1

AND

suselinux_enterprise_serverMatch12sp4

Node

apachetomcatRange<9.0.35-3.39.1

AND

suselinux_enterprise_serverMatch12sp5

Node

apachetomcatRange<9.0.35-3.57.3

AND

suselinux_enterprise_serverMatch15sap

Node

opensuseleapMatch15.1

VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
suseenterprise_storage5.0cpe:2.3:a:suse:enterprise_storage:5.0:*:*:*:*:*:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:*:*:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:ltss:*:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:*:*:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:ltss:*:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:sp2:*:*:*:sap:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:sp3:*:*:*:sap:*:*
suseopenstack_cloud7.0cpe:2.3:a:suse:openstack_cloud:7.0:*:*:*:*:*:*:*
suseopenstack_cloud8.0cpe:2.3:a:suse:openstack_cloud:8.0:*:*:*:*:*:*:*

Rows per page:

1-10 of 151

CNA Affected

[
  {
    "product": "SUSE Enterprise Storage 5",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 12-SP2-BCL",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 12-SP2-LTSS",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 12-SP3-BCL",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 12-SP3-LTSS",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 12-SP4",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "9.0.35-3.39.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 12-SP5",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "9.0.35-3.39.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server 15-LTSS",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "9.0.35-3.57.3",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server for SAP 12-SP2",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server for SAP 12-SP3",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE Linux Enterprise Server for SAP 15",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "9.0.35-3.57.3",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE OpenStack Cloud 7",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE OpenStack Cloud 8",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SUSE OpenStack Cloud Crowbar 8",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "8.0.53-29.32.1",
        "status": "affected",
        "version": "tomcat",
        "versionType": "custom"
      }
    ]
  }
]

References

lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html

bugzilla.suse.com/show_bug.cgi?id=1172405

lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E

lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E

lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E

Social References

More

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0

Percentile

5.1%

Related for CVE-2020-8022

openvas5 osv3 nvd1 github1 redhatcve1 nessus1 prion1 suse1 cvelist1 ibm5