CVE-2020-15506: 
NixOS vulnerability analysis and mitigation

An authentication bypass vulnerability was discovered in MobileIron Core & Connector affecting versions 10.3.0.3 and earlier, 10.4.0.0 through 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0. The vulnerability was disclosed in July 2020 and allows remote attackers to bypass authentication mechanisms via unspecified vectors (MobileIron Blog, NVD).

The vulnerability received a CVSS v3 base score of 9.8 (Critical), with high impact and exploitability scores. The attack vector is network-based, requires low complexity, needs no privileges or user interaction, and can affect confidentiality, integrity, and availability at a high level (AttackerKB). The authentication bypass relies on a discrepancy between how Apache and Tomcat parse the path component in the URI, similar to the technique used in CVE-2020-5902 (AttackerKB).

As MobileIron is a mobile device management (MDM) software, widely used especially during the shift toward remote work, compromising a target's MDM infrastructure could have devastating consequences. The vulnerability allows remote attackers to bypass authentication mechanisms, potentially leading to unauthorized access to critical systems and data (AttackerKB).

MobileIron released patches for all affected products on June 15, 2020. For MobileIron Core & Enterprise Connector, users should apply one of the following patches: v10.3.0.4, v10.4.0.4, v10.5.1.1, v10.5.2.1, v10.6.0.1, or update to a later version. The company strongly recommends that customers apply these patches and security updates as soon as possible (MobileIron Blog).

MobileIron has engaged in ongoing proactive outreach to help customers secure their systems through account team calls, regular targeted emails, and in-product notices. As of October 2020, they estimated that between 90%-95% of all devices were being managed on patched/updated versions of their software (MobileIron Blog).