CVE-2019-15630 — Mule modules contain Directory Traversal

Description

Directory Traversal in APIkit, http-connector, and OAuth2 Provider modules in Mulesoft 3.x, 4.x and Mulesoft API Gateway (all versions) released before August 1, 2019 allow remote attackers to read files accessible to the Mule process.

How to fix CVE-2019-15630

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2019-15630 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.0.0, <= 4.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-15630
PATCHgithub.com/mulesoft/mule
WEBhelp.mulesoft.com/s/article/Directory-traversal-vulnerability-affecting-runtimes-of-MuleSoft-customers-running-certain-use-cases-of-Mule-flows-and-API-Gateways