CVE-2024-22029

tomcat packaging allows for escalation to root from tomcat user

Description

Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.02%
Affected: SUSE Container suse/manager/5.0/x86_64/server:5.0.0-beta1.2.122
Affected: SUSE SUSE Enterprise Storage 7.1
Affected: SUSE SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
Affected: SUSE SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
Affected: SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
Affected: SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
Affected: SUSE SUSE Linux Enterprise High Performance Computing 15 SP5
Affected: SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP5
Affected: SUSE SUSE Linux Enterprise Server 15 SP5
Affected: SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP5
Affected: SUSE SUSE Linux Enterprise High Performance Computing 15 SP6
Affected: SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP6
Affected: SUSE SUSE Linux Enterprise Server 15 SP6
Affected: SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP6
Affected: SUSE SUSE Linux Enterprise Server 15 SP2-LTSS
Affected: SUSE SUSE Linux Enterprise Server 15 SP3-LTSS
Affected: SUSE SUSE Linux Enterprise Server 15 SP4-LTSS
Affected: SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP2
Affected: SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP3
Affected: SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP4
Affected: SUSE SUSE Manager Server 4.3
Affected: SUSE openSUSE Leap 15.5
Affected: SUSE openSUSE Tumbleweed
Published at:
Updated at:

References

Link Tags
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22029

Frequently Asked Questions

What is the severity of CVE-2024-22029?
CVE-2024-22029 has been scored as a high severity vulnerability.
How to fix CVE-2024-22029?
To fix CVE-2024-22029, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-22029 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-22029 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-22029?
CVE-2024-22029 affects SUSE Container suse/manager/5.0/x86_64/server:5.0.0-beta1.2.122, SUSE SUSE Enterprise Storage 7.1, SUSE SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS, SUSE SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS, SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS, SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE SUSE Linux Enterprise High Performance Computing 15 SP5, SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP5, SUSE SUSE Linux Enterprise Server 15 SP5, SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP5, SUSE SUSE Linux Enterprise High Performance Computing 15 SP6, SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP6, SUSE SUSE Linux Enterprise Server 15 SP6, SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP6, SUSE SUSE Linux Enterprise Server 15 SP2-LTSS, SUSE SUSE Linux Enterprise Server 15 SP3-LTSS, SUSE SUSE Linux Enterprise Server 15 SP4-LTSS, SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP2, SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP3, SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP4, SUSE SUSE Manager Server 4.3, SUSE openSUSE Leap 15.5, SUSE openSUSE Tumbleweed.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.