CVE-2020-15507: 
NixOS vulnerability analysis and mitigation

An arbitrary file reading vulnerability (CVE-2020-15507) was discovered in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0. The vulnerability was reported by Orange Tsai from DEVCORE in early April 2020, and patches were released by MobileIron on June 15, 2020 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability allows remote attackers to read files on the system via unspecified vectors without requiring authentication (NVD).

The vulnerability enables unauthorized remote attackers to read arbitrary files from affected MobileIron Core servers. This could potentially lead to exposure of sensitive information stored on the system (SecurityWeek).

MobileIron released patches to address this vulnerability on June 15, 2020. Customers are advised to apply one of the following patches: v10.3.0.4, v10.4.0.4, v10.5.1.1, v10.5.2.1, v10.6.0.1, or update to a later version. As of October 2020, MobileIron reported that 90-95% of all devices were being managed on patched/updated versions of their software (Vendor Advisory).

The vulnerability was part of a larger security disclosure that included other critical vulnerabilities in MobileIron products. The disclosure gained significant attention as MobileIron's solutions are used by more than 20,000 enterprises, including over 15% of Global Fortune 500 organizations (SecurityWeek).