I discovered an new unknown vulnerability on my vRops 6.3 home lab that allows any user logging in with the Authentication Source: Active Directory (others sources not yet confirmed) to change the user role membership as they please. This allowed me to obtain the Administrator role and well.. the sky was the limit from there.
I tested this on 6.2.1 and 6.3 and can confirm that the exploit is possible on at lease these 2 versions, I informed VMware yesterday and I am waiting on them to provide more details / a patch. I will provide further information when i receive it from VMware.
I highly recommend removing the permission Administration —> Access Control —> View Access Control Page from any custom roles if it’s not required and from the default roles ContentAdmin, GeneralUser-1, GeneralUser-2, GeneralUser-3, GeneralUser-4, PowerUser and PowerUserMinusRemediation until VMware patch it.