CVE-2020-29582 – This vulnerability in JetBrains Kotlin before v... (How to Fix)

Q: What is the severity of CVE-2020-29582?

CVE-2020-29582 has a CVSS score of 5.3 (MEDIUM). This vulnerability in JetBrains Kotlin before version 1.4.21 uses an insecure Java API for temporary file creation, allowing attackers to read sensitive data from improperly secured temporary files and directories. It affects applications built with vulnerable Kotlin versions that create temporary files during execution. The risk is highest in multi-user environments where temporary file permissions could be exploited.

📋 TL;DR

This vulnerability in JetBrains Kotlin before version 1.4.21 uses an insecure Java API for temporary file creation, allowing attackers to read sensitive data from improperly secured temporary files and directories. It affects applications built with vulnerable Kotlin versions that create temporary files during execution. The risk is highest in multi-user environments where temporary file permissions could be exploited.

💻 Affected Systems

Products:

JetBrains Kotlin
Applications built with Kotlin

Versions: All versions before 1.4.21

Operating Systems: All operating systems running Java/Kotlin applications

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must create temporary files using the vulnerable API to be affected. The vulnerability is in the Kotlin compiler/runtime, not specific applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive application data, configuration files, or temporary credentials stored in insecure temporary files, potentially leading to data exposure or privilege escalation.

🟠

Likely Case

Information disclosure where attackers can read temporary files containing non-critical application data, potentially revealing system information or partial application state.

🟢

If Mitigated

Minimal impact with proper file permission controls and isolation between user processes on the system.

🌐 Internet-Facing: MEDIUM - Web applications using vulnerable Kotlin versions could expose temporary file data if attackers can access the underlying file system.

🏢 Internal Only: MEDIUM - Internal applications could expose sensitive data to other users on shared systems through insecure temporary file permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have some level of system access to read temporary files. The vulnerability is in file permissions, not remote code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kotlin 1.4.21 and later

Vendor Advisory: https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/

Restart Required: Yes

Instructions:

1. Update Kotlin to version 1.4.21 or later. 2. Recompile affected applications with the updated Kotlin version. 3. Redeploy updated applications. 4. Restart any running applications using the vulnerable Kotlin runtime.

🔧 Temporary Workarounds

Secure temporary file creation

all

Modify application code to use secure temporary file creation methods with proper permissions

// Kotlin code example: Use Files.createTempFile() with secure permissions
val tempFile = Files.createTempFile("prefix", ".tmp").toFile()
tempFile.setReadable(false, false)
tempFile.setWritable(false, false)

🧯 If You Can't Patch

Implement strict file system permissions and isolate user processes
Monitor temporary directories for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check Kotlin version in build.gradle or build.gradle.kts: look for kotlin version < 1.4.21

Check Version:

For Gradle: ./gradlew dependencies | grep kotlin-stdlib OR check build.gradle for 'kotlin("stdlib") version'

Verify Fix Applied:

Verify Kotlin version is 1.4.21 or higher in build configuration files

📡 Detection & Monitoring

Log Indicators:

Failed file permission changes
Unexpected file access patterns in temporary directories

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

File access events where source process is Kotlin/JVM application and target path contains temporary directories with world-readable permissions

📊 Metadata

CVE ID: CVE-2020-29582

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-276

Published: February 3, 2021

Last Updated: February 25, 2026

🔗 References

https://blog.jetbrains.com Vendor Advisory
https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/ Vendor Advisory
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://blog.jetbrains.com Vendor Advisory
https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/ Vendor Advisory
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29582, you might also want to check these: