CVE-2019-15630
published 2019-08-30CVE-2019-15630: Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft…
PriorityP345high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
3.00%
85.7th percentile
Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mulesoft | mule_runtime | 3.2.0 – 3.9.3 | — |
| mulesoft | mule_runtime | 4.1.0 – 4.2.1 | — |
| salesforce_inc | mulesoft | — | — |
| salesforce_inc | mulesoft_api_gateway | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mule modules contain Directory Traversal
osv·2022-05-24
CVE-2019-15630 [HIGH] Mule modules contain Directory Traversal
Mule modules contain Directory Traversal
Directory Traversal in APIkit, http-connector, and OAuth2 Provider modules in Mulesoft 3.x, 4.x and Mulesoft API Gateway (all versions) released before August 1, 2019 allow remote attackers to read files accessible to the Mule process.
GHSA
Mule modules contain Directory Traversal
ghsa·2022-05-24
CVE-2019-15630 [HIGH] CWE-22 Mule modules contain Directory Traversal
Mule modules contain Directory Traversal
Directory Traversal in APIkit, http-connector, and OAuth2 Provider modules in Mulesoft 3.x, 4.x and Mulesoft API Gateway (all versions) released before August 1, 2019 allow remote attackers to read files accessible to the Mule process.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-08-30
Published