SpringBoot Remove kotlin-runtime dependency from Spring Boot 2.1.x

Hi Team,

The CVE-2020-15824 was reported against kotlin-runtime 1.2.71, which is in the Spring Boot 2.1.x.

The project kotlin-runtime has changed its groupId to kotlin-stdlib, which is also present in Spring Boot 2.1.x.

If its possible to remove kotlin-runtime in the next release of 2.1.x and increase the version of kotlin-stdlib to prevent this vulnerability?

Best regards, Manjunath

Comment From: wilkinsona

Thanks for bringing this to our attention. Spring Boot does not depend on kotlin-runtime, it just provides dependency management for it. Furthermore, the CVE description states that only 1.4-M1 to 1.4-RC are affected:

In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. Fixed version is 1.4.0) there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.

Comment From: artem-smotrakov

@ManjunathMS35 @wilkinsona FYI Kotlin 1.2.71 is not affected by this CVE. I've contacted the NVD team to update the entry. Let me know if you have questions.