All Vulnerability Reports

CVE-2019-11282: UAA is vulnerable to a Blind SCIM injection leading to information disclosure


Severity

Medium

Vendor

Pivotal

Description

VMware Tanzu Application Service for VMs, versions prior to 2.8.0, Operations Manager, versions prior to 2.8.0, and Pivotal Container Service, versions prior to 1.7.0, contain a vulnerable version of UAA, which contains an endpoint that is vulnerable to SCIM injection. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Operations Manager
    • All versions prior to 2.8.0
  • Pivotal Container Service (PKS)
    • All versions prior to 1.7.0
  • VMware Tanzu Application Service for VMs
    • All versions prior to 2.8.0

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Operations Manager
    • 2.8.0
  • Pivotal Container Service (PKS)
    • 1.7.0
  • VMware Tanzu Application Service for VMs
    • 2.8.0

Credit

Amit Laish - GE Digital Cyber Security Team

References

History

2020-04-06: Initial vulnerability report published.