Incorrect Default Permissions in org.jetbrains.kotlin:kotlin-build-common
CVE-2020-29582
- org.jetbrains.kotlin:kotlin-build-common
- org.jetbrains.kotlin:kotlin-build-common-1.3.0-rc
- org.jetbrains.kotlin:kotlin-compiler
- org.jetbrains.kotlin:kotlin-compiler-1.0.0-beta
- org.jetbrains.kotlin:kotlin-compiler-client-embeddable
- org.jetbrains.kotlin:kotlin-compiler-client-embeddable-1.3.0-rc
- org.jetbrains.kotlin:kotlin-compiler-embeddable
- org.jetbrains.kotlin:kotlin-compiler-embeddable-1.0.0-beta
- org.jetbrains.kotlin:kotlin-compiler-embeddable-1.0.0-rc
- org.jetbrains.kotlin:kotlin-compiler-embeddable-1.3.0-rc
- org.jetbrains.kotlin:kotlin-compiler-1.0.0-rc
- org.jetbrains.kotlin:kotlin-compiler-1.3.0-rc
- org.jetbrains.kotlin:kotlin-daemon
- org.jetbrains.kotlin:kotlin-daemon-client
- org.jetbrains.kotlin:kotlin-daemon-client-new
- org.jetbrains.kotlin:kotlin-daemon-client-1.3.0-rc
- org.jetbrains.kotlin:kotlin-gradle-plugin
- org.jetbrains.kotlin:kotlin-gradle-plugin-1.0.0-beta
- org.jetbrains.kotlin:kotlin-gradle-plugin-1.0.0-rc
- org.jetbrains.kotlin:kotlin-gradle-plugin-1.3.0-rc
- org.jetbrains.kotlin:kotlin-main-kts
- org.jetbrains.kotlin:kotlin-main-kts-1.3.0-rc
- org.jetbrains.kotlin:kotlin-scripting-jvm
- org.jetbrains.kotlin:kotlin-scripting-jvm-1.3.0-rc
Summary
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
Advisory Timeline
- Published
