CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.61.jar, kotlin-stdlib-1.3.20.jar #103

mend-for-github-com · 2023-03-27T01:42:46Z

CVE-2020-29582 - Medium Severity Vulnerability

Vulnerable Libraries - kotlin-stdlib-1.3.61.jar, kotlin-stdlib-1.3.20.jar

kotlin-stdlib-1.3.61.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /samples/sample-2-kotlin-todoservice/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.61/4702105e97f7396ae41b113fdbdc180ec1eb1e36/kotlin-stdlib-1.3.61.jar

Dependency Hierarchy:

jackson-module-kotlin-2.11.0.jar (Root Library)
- kotlin-reflect-1.3.61.jar
  - ❌ kotlin-stdlib-1.3.61.jar (Vulnerable Library)

kotlin-stdlib-1.3.20.jar

Kotlin Standard Library for JVM

Path to dependency file: /samples/sample-2-kotlin-todoservice/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.20/eb2a232734e09fcd1b958a5c7520a93c6de38b32/kotlin-stdlib-1.3.20.jar

Dependency Hierarchy:

kotlin-compiler-embeddable-1.3.20.jar (Root Library)
- ❌ kotlin-stdlib-1.3.20.jar (Vulnerable Library)

Found in HEAD commit: d64100a6a3eec7fcaa704df6c76f50ee0fe55763

Found in base branch: master

Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: 2021-02-03

URL: CVE-2020-29582

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqj8-47ch-rvvq

Release Date: 2021-02-03

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.4.21

Direct dependency fix Resolution (com.fasterxml.jackson.module:jackson-module-kotlin): 2.12.1

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.4.21

Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-compiler-embeddable): 1.4.21

⛑️ Automatic Remediation is available for this issue

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Mar 27, 2023

mend-for-github-com bot mentioned this issue Mar 31, 2023

Update dependency com.fasterxml.jackson.module:jackson-module-kotlin to v2.12.2 #100

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.61.jar, kotlin-stdlib-1.3.20.jar #103

CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.61.jar, kotlin-stdlib-1.3.20.jar #103

mend-for-github-com bot commented Mar 27, 2023 •

edited

Loading

CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.61.jar, kotlin-stdlib-1.3.20.jar #103

CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.61.jar, kotlin-stdlib-1.3.20.jar #103

Comments

mend-for-github-com bot commented Mar 27, 2023 • edited Loading

CVE-2020-29582 - Medium Severity Vulnerability

mend-for-github-com bot commented Mar 27, 2023 •

edited

Loading