The security researcher team at AquaSec (Aqua Security) has published a report which highlights a series of major security vulnerabilities currently residing in Microsoft's PowerShell Gallery. As the name suggests, the PowerShell Gallery or PSGallery is a repository that contains scripts, modules, and Desired State Configuration (DSC) resources.
AquaSec explains in its report that there are three major flaws in PSGallery, centered around deception and forgery. The surprising thing about the matter though is that Microsoft has apparently been aware of the issue for a very long time and has yet to implement any fix. AquaSec states:
Despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, with confirmation of the reported behavior and claims of ongoing fixes, as of August 2023, the issues remain reproducible, indicating that no tangible changes have been implemented.
To give us a better idea of what it meant, AquaSec has also published the entire vulnerability disclosure timeline which suggests that the tech giant has been aware of the issue since September last year. In fact, in March 2023, Microsoft seemingly confirmed that "reactive fixes" were out.
Disclosure timeline
Support the originator by clicking the read the rest link below.