Security Notice: PowerShell Universal Authorization Bypass

Recent versions of PowerShell Universal are affected by an authorization bypass issue and it is recommended that you update your environment.

Impact

A bug in the authorization logic for PowerShell Universal exposes APIs and Dashboards that enforce roles to any authenticated user. This issue will be present when using challenge-based authentication like OpenID Connect, WS-Federation, SAML2 and Windows Authentication. Forms authentication and JWT tokens are not affected by this issue.

Authentication is still required to access secure endpoints and dashboards.

For example, any user that can authenticate against this PowerShell Universal instance will be able to execute this endpoint, regardless of role.


New-PSUEndpoint -Url '/secure' -Endpoint {

    "ack"

} -Authenticated -Role 'Administrator'

This will bypass authorization but authentication is still necessary.


Invoke-RestMethod https://localhost:5001/secure -UseDefaultCredentials

This will return a 401 error code.


Invoke-RestMethod https://localhost:5001/secure

Affected Versions

The following versions are affected.

  • 2.7.3
  • 2.7.2
  • 2.7.1
  • 2.7.0
  • 2.6.2
  • 2.6.1
  • 2.6.0
  • 2.5.5
  • 2.5.4
  • 2.5.3
  • 2.5.2
  • 2.5.1
  • 2.5.0

Mitigation

To mitigate this issue, you must upgrade to PowerShell Universal 2.7.4 or later.

Downloads are available from our website.