All Vulnerability Reports

Privilege Escalation via Blind SCIM Injection in UAA


Severity

High

Vendor

Pivotal

Description

Pivotal Ops Manager (2.5.x versions prior to 2.5.17 and 2.6.x versions prior to 2.6.9), Pivotal Container Service (1.4.x versions prior to 1.4.3, and 1.5.x versions prior to 1.5.1), and Pivotal Application Service (2.5.x versions prior to 2.5.12, 2.6.x versions prior to 2.6.7, and 2.7.x versions prior to 2.7.1), through their dependency on a vulnerable version of UAA (64.x versions prior to 64.4, 66.x versions prior to 66.4, 71.x versions prior to 71.3 and 73.x versions prior to 73.4.8), allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Ops Manager
    • 2.5 versions prior to 2.5.17
    • 2.6 versions prior to 2.6.9
  • Pivotal Container Service (PKS)
    • 1.4 versions prior to 1.4.3
    • 1.5 versions prior to 1.5.1
  • Pivotal Application Service (PAS)
    • 2.5 versions prior to 2.5.12
    • 2.6 versions prior to 2.6.7
    • 2.7 versions prior to 2.7.1
  • UAA Release
    • v64 versions prior to v64.4
    • v66 versions prior to v66.4
    • v71 versions prior to v71.3
    • v73 versions prior to v73.4.8
Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Ops Manager
    • 2.5.17
    • 2.6.9
  • Pivotal Container Service (PKS)
    • 1.4.3
    • 1.5.1
  • Pivotal Application Service (PAS)
    • 2.5.12
    • 2.6.7
    • 2.7.1
  • UAA Release
    • v64.4
    • v66.4
    • v71.3
    • v73.4.8
Credit

Amit Laish - GE Digital Cyber Security Team

References
History

2019-10-15: Initial vulnerability report published.