CVE-2019-15630: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

May 24, 2022 (updated July 17, 2023)

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.

References

github.com/advisories/GHSA-mwh9-gr45-xvv4
help.mulesoft.com/s/article/Directory-traversal-vulnerability-affecting-runtimes-of-MuleSoft-customers-running-certain-use-cases-of-Mule-flows-and-API-Gateways
nvd.nist.gov/vuln/detail/CVE-2019-15630

Detect and mitigate CVE-2019-15630 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →