{ "threat_severity" : "Low", "public_date" : "2021-02-03T00:00:00Z", "bugzilla" : { "description" : "kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure", "id" : "1930291", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1930291" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-276", "details" : [ "In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions." ], "statement" : "Red Hat CodeReady Studio 12 is not affected by this vulnerability because It ships kotlin-stdlib. The vulnerable component is not in kotlin-stdlib.", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "kotlin-scripting-jvm" }, { "product_name" : "Red Hat Integration", "release_date" : "2021-08-18T00:00:00Z", "advisory" : "RHSA-2021:3205", "cpe" : "cpe:/a:redhat:integration:1", "package" : "kotlin-scripting-jvm" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "release_date" : "2021-08-18T00:00:00Z", "advisory" : "RHSA-2021:3207", "cpe" : "cpe:/a:redhat:camel_quarkus:2" } ], "package_state" : [ { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "kotlin-scripting-jvm", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "low" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Not affected", "package_name" : "kotlin-scripting-jvm", "cpe" : "cpe:/a:redhat:integration:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-29582\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-29582\nhttps://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/" ], "name" : "CVE-2020-29582", "csaw" : false }