Miggo Logo
Miggo Vulnerability Database
CVE-2020-8022

CVE-2020-8022: Incorrect Default Permissions in Apache Tomcat

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-8022
GHSA ID
GHSA-gc58-v8h3-x2gr
EPSS Score
0.42961%
CWE
CWE-276
Published
2/9/2022
Updated
7/10/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven< 8.0.538.0.53
org.apache.tomcat:tomcatmaven>= 9.0.0, < 9.0.359.0.35

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect file permissions in packaging (specifically /usr/lib/tmpfiles.d/tomcat.conf being group-writable), not from runtime code execution patterns. The provided patches show fixes to daemon.sh that enforce proper umask settings (0027) and add configuration options, but these are mitigation measures rather than indicators of vulnerable functions. The exploit involves file system manipulation rather than specific function calls during runtime execution. No actual code functions handling requests or processing inputs were modified in the provided patches - the vulnerability exists at the packaging/configuration level rather than in executable code paths that would appear in a runtime profiler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Wit**r*wn *s p*r *ttps://lists.*p****.or*/t*r***/*z***x*jo**pn*ox*p*qslkv**w*t**q t*is issu* only *****ts t** SUS* *uilt *rti***ts o* tom**t *n* is not r*l*v*nt *or t** *rti***ts on m*v*n **ntr*l. ### Ori*in*l **visory * In*orr**t ****ult P*rmis

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *il* p*rmissions in p**k**in* (sp**i*i**lly `/usr/li*/tmp*il*s.*/tom**t.*on*` **in* *roup-writ**l*), not *rom runtim* *o** *x**ution p*tt*rns. T** provi*** p*t***s s*ow *ix*s to `***mon.s*` t**t *n*or** prop*r u