CVE-2019-15630 - Vulnerability Details - OpenCVE

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mulesoft	Api Gateway Mule Runtime

Configuration 1 [-]

OR	cpe:2.3:a:mulesoft:api_gateway::::::::
	cpe:2.3:a:mulesoft:mule_runtime::::::::
	cpe:2.3:a:mulesoft:mule_runtime::::::::

No data.

References

Link	Providers
https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US

History

No history.

MITRE

Status: PUBLISHED

Assigner: Salesforce

Published: 2019-08-30T16:56:14

Updated: 2024-08-05T00:56:22.135Z

Reserved: 2019-08-26T00:00:00

Link: CVE-2019-15630

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-30T17:15:11.940

Modified: 2024-11-21T04:29:09.887

Link: CVE-2019-15630

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Mulesoft", "vendor": "Salesforce, Inc.", "versions": [{"status": "affected", "version": "3.x and 4.x released before August 1 2019"}]}, {"product": "Mulesoft API Gateway", "vendor": "Salesforce, Inc.", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2019-08-30T00:00:00", "descriptions": [{"lang": "en", "value": "Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process."}], "problemTypes": [{"descriptions": [{"description": "Directory Traversal (Local File Inclusion)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-03T18:21:26", "orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@salesforce.com", "ID": "CVE-2019-15630", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mulesoft", "version": {"version_data": [{"version_value": "3.x and 4.x released before August 1 2019"}]}}, {"product_name": "Mulesoft API Gateway", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "Salesforce, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory Traversal (Local File Inclusion)"}]}]}, "references": {"reference_data": [{"name": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US", "refsource": "MISC", "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:56:22.135Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}]}]}, "cveMetadata": {"assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "assignerShortName": "Salesforce", "cveId": "CVE-2019-15630", "datePublished": "2019-08-30T16:56:14", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:56:22.135Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mulesoft:api_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A4EE65F-5D59-4DB7-AC4A-8A5B16EC3576", "vulnerable": true}, {"criteria": "cpe:2.3:a:mulesoft:mule_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CBDD07A-6C14-4CFD-8AD5-6C900D33BA23", "versionEndIncluding": "3.9.3", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mulesoft:mule_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "D24C3B68-2456-4D77-87F1-C0056B871D2E", "versionEndIncluding": "4.2.1", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process."}, {"lang": "es", "value": "Directory Traversal en APIkit, http connector y OAuth2 Provider components en MuleSoft Mule Runtime versi\u00f3n 3.2.0 y versiones anteriores lanzadas antes del 1 de agosto de 2019, MuleSoft Mule Runtime versi\u00f3n 4.1.0 y versiones anteriores lanzadas antes del 1 de agosto de 2019, y todas las versiones de MuleSoft API Gateway lanzado antes del 1 de agosto de 2019 permiten a los atacantes remotos leer los archivos accesibles para el proceso de Mule."}], "id": "CVE-2019-15630", "lastModified": "2024-11-21T04:29:09.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-30T17:15:11.940", "references": [{"source": "security@salesforce.com", "tags": ["Third Party Advisory"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}], "sourceIdentifier": "security@salesforce.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}