Miggo Logo
Miggo Vulnerability Database
CVE-2019-13116

CVE-2019-13116: Mulesoft Mule Unsafe Deserialization

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-13116
GHSA ID
GHSA-cvcf-w75c-gw5r
EPSS Score
0.86554%
CWE
CWE-502
Published
5/24/2022
Updated
9/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.mule.runtime:mulemaven< 3.8.03.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure Java deserialization using Apache Commons Collections, but the provided information lacks specific code references or patch diffs to identify exact vulnerable functions. While the advisory references CWE-502 (Deserialization of Untrusted Data) and Apache Commons Collections' known exploit chain (e.g., InvokerTransformer), Mule's implementation details are not disclosed. Common patterns suggest vulnerable code would involve deserialization entry points (e.g., ObjectInputStream.readObject()) in network-facing components, but without concrete evidence of Mule's specific vulnerable code paths or patched methods, we cannot confidently name specific functions. The patched version (3.8.0) likely added validation or removed Commons Collections dependencies, but the absence of commit details prevents precise function identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Mul*So*t Mul* runtim* *n*in* ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** ****us* o* J*v* **s*ri*liz*tion, r*l*t** to *p**** *ommons *oll**tions.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* J*v* **s*ri*liz*tion usin* *p**** *ommons *oll**tions, *ut t** provi*** in*orm*tion l**ks sp**i*i* *o** r***r*n**s or p*t** *i**s to i**nti*y *x**t vuln*r**l* *un*tions. W*il* t** **visory r***r*n**s *W*-*** (**s