CVE-2019-13116 — Mulesoft Mule Unsafe Deserialization

Description

The MuleSoft Mule runtime engine before 3.8.0 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections.

How to fix CVE-2019-13116

To remediate CVE-2019-13116, upgrade the affected package to a fixed version below.

Maven/org.mule.runtime:mule—upgrade to 3.8.0 or later

Is CVE-2019-13116 being exploited?

Low — EPSS is 2.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-13116
PATCHgithub.com/mulesoft/mule
WEBdocs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes
WEBthreat.tevora.com/mulesoft-3-8-unauthenticated-rce