CVE-2019-15630 - Vulnerability Details

Vendors	Products
Mulesoft	Api Gateway Mule Runtime

Link	Providers
https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Mulesoft", "vendor": "Salesforce, Inc.", "versions": [{"status": "affected", "version": "3.x and 4.x released before August 1 2019"}]}, {"product": "Mulesoft API Gateway", "vendor": "Salesforce, Inc.", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2019-08-30T00:00:00", "descriptions": [{"lang": "en", "value": "Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process."}], "problemTypes": [{"descriptions": [{"description": "Directory Traversal (Local File Inclusion)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-03T18:21:26", "orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@salesforce.com", "ID": "CVE-2019-15630", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mulesoft", "version": {"version_data": [{"version_value": "3.x and 4.x released before August 1 2019"}]}}, {"product_name": "Mulesoft API Gateway", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "Salesforce, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory Traversal (Local File Inclusion)"}]}]}, "references": {"reference_data": [{"name": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US", "refsource": "MISC", "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:56:22.135Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}]}]}, "cveMetadata": {"assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "assignerShortName": "Salesforce", "cveId": "CVE-2019-15630", "datePublished": "2019-08-30T16:56:14", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:56:22.135Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Mulesoft (string)

vendor : Salesforce, Inc. (string)

versions : [ »

0 : { »

status : affected (string)

version : 3.x and 4.x released before August 1 2019 (string)

}

]

}

1 : { »

product : Mulesoft API Gateway (string)

vendor : Salesforce, Inc. (string)

versions : [ »

0 : { »

status : affected (string)

version : All versions (string)

}

]

}

]

datePublic : 2019-08-30T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Directory Traversal (Local File Inclusion) (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2019-09-03T18:21:26 (string)

orgId : c9b25dee-ae6d-4083-ba23-638c500cc364 (string)

shortName : Salesforce (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@salesforce.com (string)

ID : CVE-2019-15630 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Mulesoft (string)

version : { »

version_data : [ »

0 : { »

version_value : 3.x and 4.x released before August 1 2019 (string)

}

]

}

1 : { »

product_name : Mulesoft API Gateway (string)

version : { »

version_data : [ »

0 : { »

version_value : All versions (string)

}

]

}

]

}

vendor_name : Salesforce, Inc. (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Directory Traversal (Local File Inclusion) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US (string)

refsource : MISC (string)

url : https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T00:56:22.135Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : c9b25dee-ae6d-4083-ba23-638c500cc364 (string)

assignerShortName : Salesforce (string)

cveId : CVE-2019-15630 (string)

datePublished : 2019-08-30T16:56:14 (string)

dateReserved : 2019-08-26T00:00:00 (string)

dateUpdated : 2024-08-05T00:56:22.135Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mulesoft:api_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A4EE65F-5D59-4DB7-AC4A-8A5B16EC3576", "vulnerable": true}, {"criteria": "cpe:2.3:a:mulesoft:mule_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CBDD07A-6C14-4CFD-8AD5-6C900D33BA23", "versionEndIncluding": "3.9.3", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mulesoft:mule_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "D24C3B68-2456-4D77-87F1-C0056B871D2E", "versionEndIncluding": "4.2.1", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process."}, {"lang": "es", "value": "Directory Traversal en APIkit, http connector y OAuth2 Provider components en MuleSoft Mule Runtime versi\u00f3n 3.2.0 y versiones anteriores lanzadas antes del 1 de agosto de 2019, MuleSoft Mule Runtime versi\u00f3n 4.1.0 y versiones anteriores lanzadas antes del 1 de agosto de 2019, y todas las versiones de MuleSoft API Gateway lanzado antes del 1 de agosto de 2019 permiten a los atacantes remotos leer los archivos accesibles para el proceso de Mule."}], "id": "CVE-2019-15630", "lastModified": "2024-11-21T04:29:09.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-30T17:15:11.940", "references": [{"source": "security@salesforce.com", "tags": ["Third Party Advisory"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US"}], "sourceIdentifier": "security@salesforce.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:mulesoft:api_gateway:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 0A4EE65F-5D59-4DB7-AC4A-8A5B16EC3576 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:mulesoft:mule_runtime:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 4CBDD07A-6C14-4CFD-8AD5-6C900D33BA23 (string)

versionEndIncluding : 3.9.3 (string)

versionStartIncluding : 3.2.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:mulesoft:mule_runtime:*:*:*:*:*:*:*:* (string)

matchCriteriaId : D24C3B68-2456-4D77-87F1-C0056B871D2E (string)

versionEndIncluding : 4.2.1 (string)

versionStartIncluding : 4.1.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process. (string)

}

1 : { »

lang : es (string)

value : Directory Traversal en APIkit, http connector y OAuth2 Provider components en MuleSoft Mule Runtime versión 3.2.0 y versiones anteriores lanzadas antes del 1 de agosto de 2019, MuleSoft Mule Runtime versión 4.1.0 y versiones anteriores lanzadas antes del 1 de agosto de 2019, y todas las versiones de MuleSoft API Gateway lanzado antes del 1 de agosto de 2019 permiten a los atacantes remotos leer los archivos accesibles para el proceso de Mule. (string)

}

]

id : CVE-2019-15630 (string)

lastModified : 2024-11-21T04:29:09.887 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.0 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2019-08-30T17:15:11.940 (string)

references : [ »

0 : { »

source : security@salesforce.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://help.salesforce.com/apex/HTViewSolution?urlname=CVE-2019-15630-Directory-Traversal-in-MuleSoft-Runtime&language=en_US (string)

}

]

sourceIdentifier : security@salesforce.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-22 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object