NVD Vulnerability Detail

CVE-2020-8022

Summary	A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
Publication Date	June 29, 2020, 6:15 p.m.
Registration Date	Jan. 26, 2021, 12:01 p.m.
Last Update	Nov. 21, 2024, 2:38 p.m.

CVSS3.1 : HIGH
スコア	7.8
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : HIGH
Score	7.2
Vector	AV:L/AC:L/Au:N/C:C/I:C/A:C
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:a:suse:enterprise_storage:5.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp2::::::

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp2:::ltss:::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp3::::::

Configuration5		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp3:::ltss:::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp2::::sap::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp3::::sap::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:a:suse:openstack_cloud:7.0:::::::*

Configuration9		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:a:suse:openstack_cloud:8.0:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					8.0.53-29.32.1
execution environment
1	cpe:2.3:a:suse:openstack_cloud_crowbar:8.0:::::::*

Configuration11		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					9.0.35-3.39.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp4::::::

Configuration12		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					9.0.35-3.39.1
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:12:sp5::::::

Configuration13		or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::					9.0.35-3.57.3
execution environment
1	cpe:2.3:o:suse:linux_enterprise_server:15:::::sap::

Configuration14		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:15.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html	Mailing List Vendor Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html	Mailing List Vendor Advisory
3	https://bugzilla.suse.com/show_bug.cgi?id=1172405	Exploit Issue Tracking Vendor Advisory
4	https://bugzilla.suse.com/show_bug.cgi?id=1172405	Exploit Issue Tracking Vendor Advisory
5	https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E
6	https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be%40%3Cjava-dev.axis.apache.org%3E
7	https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E
8	https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928%40%3Cjava-dev.axis.apache.org%3E
9	https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E
10	https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1%40%3Cusers.tomcat.apache.org%3E
11	https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E
12	https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7%40%3Cusers.tomcat.apache.org%3E

Common Vulnerabilities List

JVN Vulnerability Information

複数の製品における不適切なデフォルトパーミッションに関する脆弱性

Title	複数の製品における不適切なデフォルトパーミッションに関する脆弱性
Summary	複数の製品には、不適切なデフォルトパーミッションに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 2, 2020, midnight
Registration Date	Aug. 25, 2020, 3:49 p.m.
Last Update	Aug. 25, 2020, 3:49 p.m.

Affected System

Apache Software Foundation

Apache Tomcat

openSUSE project

openSUSE Leap

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-8022	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8022
National Vulnerability Database (NVD)
2	CVE-2020-8022	https://nvd.nist.gov/vuln/detail/CVE-2020-8022

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-276	https://cwe.mitre.org/data/definitions/276.html

ベンダー情報

No	Name	URL
Apache
1	Top Page	https://www.apache.org/
Bugzilla
2	Bug 1172405	https://bugzilla.suse.com/show_bug.cgi?id=1172405
opensuse-security-announce
3	openSUSE-SU-2020:0911-1	https://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html

Change Log

No	Changed Details	Date of change
1	[2020年08月25日] 掲載	Aug. 25, 2020, 3:49 p.m.