With the introduction of the local guest user feature in NSX-T 3.1.1 (GA, January 2021), a potential for privilege escalation was identified.  One guest local user with privileges to assign roles to another user can assign privileges greater than his/her own.  This can lead to a privilege escalation scenario.  The scope of this issue is limited to a particular sequence of configuration steps.

This issue has been resolved in NSX-T maintenance release 3.1.2.

Workaround:
Do not activate local guest user and/or do not assign RBAC role with user-role assignment permission to local guest users.

Impact/Risks:
This potential privilege escalation is only seen in the following scenario:

By default local guest user accounts are disabled and are restricted to "audit" role/permissions.  In order to experience this issue an existing NSX Enterprise Administrator must activate the local guest users first.  Then the existing NSX Enterprise Administrator must grant "role assignment" permissions to one of the two new local guest user accounts.  The local user account which now has "role assignment" permissions then has the ability to assign privileges greater than his/her own permission level.  

This potential privilege escalation is only seen with "local guest user" functionality introduced in NSX-T 3.1.1.  The scope of this issue is limited to the two additional "local" users and does not apply to remote users from NSX-T LDAP/VIDM integration.  In effect, corporate credentials are not affected.