Ironman Software Forums
Continue the conversion on the Ironman Software forums. Chat with over 1000 users about PowerShell, PowerShell Universal, and PowerShell Pro Tools.
On Friday, November 11th, 2022, a customer notified us, as part of our Vulnerability Response Policy, of two security issues that they had identified in PowerShell Universal, and we are announcing today. These issues have been patched and you will find more information below.
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with a valid app token to retrieve other app tokens by ID via an HTTP web request.
A logic error in the App Token endpoint would allow valid app tokens created by a single user to access any app token created by that user. For example, if a user created a Reader app token, the reader app token could access an administrator app token, also created by that user, to escalate their privileges. App tokens could not access the app tokens created by other users.
Patching to a new version fixes this behavior. Additionally, it is possible to revoke app tokens that meet this critieria to mitigate this vulnerability without patching.
The Web Server in Ironman Software PowerShell Universal v3.x allows for directory traversal outside of the configuration directory, which allows a remote attacker with administrator privilege to create files outside of the configuration directory via a crafted HTTP request to particular endpoints in the web server.
Invalid path validation allowed administrator users to construct HTTP requests that could create files outside of the PowerShell Universal repository (configuration) directory.
Patching to a new version fixes this behavior.
Special thanks to Thierry Viaccoz for reporting these issues.