Security Notice: PowerShell Universal Authorization Bypass

February 4, 2022

Discuss this Article

Recent versions of PowerShell Universal are affected by an authorization bypass issue and it is recommended that you update your environment.

Impact

A bug in the authorization logic for PowerShell Universal exposes APIs and Dashboards that enforce roles to any authenticated user. This issue will be present when using challenge-based authentication like OpenID Connect, WS-Federation, SAML2 and Windows Authentication. Forms authentication and JWT tokens are not affected by this issue.

Authentication is still required to access secure endpoints and dashboards.

For example, any user that can authenticate against this PowerShell Universal instance will be able to execute this endpoint, regardless of role.

New-PSUEndpoint -Url '/secure' -Endpoint {
    "ack"
} -Authenticated -Role 'Administrator'

This will bypass authorization but authentication is still necessary.

Invoke-RestMethod https://localhost:5001/secure -UseDefaultCredentials

This will return a 401 error code.

Invoke-RestMethod https://localhost:5001/secure

Affected Versions

The following versions are affected.

2.7.3
2.7.2
2.7.1
2.7.0
2.6.2
2.6.1
2.6.0
2.5.5
2.5.4
2.5.3
2.5.2
2.5.1
2.5.0

Mitigation

To mitigate this issue, you must upgrade to PowerShell Universal 2.7.4 or later.

Downloads are available from our website.

Ironman Software Forums

Continue the conversion on the Ironman Software forums. Chat with over 1000 users about PowerShell, PowerShell Universal, and PowerShell Pro Tools.

Join Now

Ironman Software Newsletter

Receive once-a-month updates about Ironman Software. You'll learn about our product updates and blogs related to PowerShell.