CVE-2020-15824

moderate-risk

Published 2020-08-08

In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. Fixed version is 1.4.0) there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (8)

Kotlin

Banking Extensibility Workbench

Communications Cloud Native Core Policy

Affected Vendors

Oracle Jetbrains

References (16)

Mailing List http://www.openwall.com/lists/oss-security/2020/12/06/1

Vendor Advisory https://blog.jetbrains.com/blog/2020/08/06/jetbrains-security-bulletin-q2-2020/

https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f...

https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad...

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

Mailing List http://www.openwall.com/lists/oss-security/2020/12/06/1

Vendor Advisory https://blog.jetbrains.com/blog/2020/08/06/jetbrains-security-bulletin-q2-2020/

https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f...

https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad...

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 0/34 · Minimal

Exposure 14/34 · Moderate