Ironman Software Forums
Continue the conversion on the Ironman Software forums. Chat with over 1000 users about PowerShell, PowerShell Universal, and PowerShell Pro Tools.
Security Bulletin: PowerShell Universal Privilege Escalation and Directory Traversal
November 13, 2022
Discuss this Article
On Friday, November 11th, 2022, a customer notified us, as part of our Vulnerability Response Policy, of two security issues that they had identified in PowerShell Universal, and we are announcing today. These issues have been patched and you will find more information below.
CVE-2022-45183 - Privilege Escalation via App Token Exploit
Affected Versions
- 3.5.2 and Earlier
- 3.4.6 and Earlier
- 2.12.5 and Earlier
Description
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with a valid app token to retrieve other app tokens by ID via an HTTP web request.
Root Cause
A logic error in the App Token endpoint would allow valid app tokens created by a single user to access any app token created by that user. For example, if a user created a Reader app token, the reader app token could access an administrator app token, also created by that user, to escalate their privileges. App tokens could not access the app tokens created by other users.
Remediation
Patching to a new version fixes this behavior. Additionally, it is possible to revoke app tokens that meet this critieria to mitigate this vulnerability without patching.
Patched Versions
- 3.5.3
- 3.4.7
- 2.12.6
CVE-2022-45184 - Directory Traversal by Administrator Users
Affected Versions
- 3.5.2 and Earlier
- 3.4.6 and Earlier
Description
The Web Server in Ironman Software PowerShell Universal v3.x allows for directory traversal outside of the configuration directory, which allows a remote attacker with administrator privilege to create files outside of the configuration directory via a crafted HTTP request to particular endpoints in the web server.
Root Cause
Invalid path validation allowed administrator users to construct HTTP requests that could create files outside of the PowerShell Universal repository (configuration) directory.
Remediation
Patching to a new version fixes this behavior.
Patched Versions
- 3.5.3
- 3.4.7
Acknowledgment
Special thanks to Thierry Viaccoz for reporting these issues.