CVE-2020-29582

Description

CVE-2020-29582 is a vulnerability in the Kotlin Standard Library where the createTempDir() and createTempFile() functions in the kotlin.io package create temporary files and directories with insecure permissions on Unix-like systems. These files are created with world-readable permissions, potentially allowing local users to access sensitive information stored in temporary locations.

Severity

Low (False Positive) - After comprehensive code analysis, Rundeck does not use the vulnerable Kotlin functions. All temporary file creation in Rundeck uses Java APIs (File.createTempFile(), Files.createTempDirectory()) or Groovy extensions, which create files with secure permissions. The Kotlin Standard Library is present as a transitive dependency through OkHttp, but the vulnerable code paths (kotlin.io.createTempFile() and kotlin.io.createTempDir()) are never executed.

These vulnerable functions have been deprecated since Kotlin 1.4.21 and were removed in Kotlin 2.1.0.

Affected Versions

Since the vulnerable functions are not used in the Rundeck codebase, no versions are affected by this vulnerability. While the Kotlin Standard Library is present as a dependency, the absence of any calls to the vulnerable APIs means there is no exploitable attack surface.

References

• National Vulnerability Database - CVE-2020-29582
• Snyk Advisory - SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744
• GitHub Security Advisory - GHSA-5w9v-8x7x-rfqm