CVE-2019-13116
CRITICALMuleSoft Mule Runtime < 3.8.0 - Unauthenticated Remote Code Execution via Java Deserialization
Title source: llmDescription
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
References (2)
Core 2
Core References
Release Notes x_refsource_misc
https://docs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes
Exploit, Third Party Advisory x_refsource_misc
https://threat.tevora.com/mulesoft-3-8-unauthenticated-rce/
Scores
CVSS v3
9.8
EPSS
0.0513
EPSS Percentile
91.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
mulesoft/mule_runtime
< 3.8.0
org.mule.runtime/mule
0 - 3.8.0Maven
Published
Oct 16, 2019
Tracked Since
Feb 18, 2026