{
  "schema_version": "1.4.0",
  "id": "GHSA-62gw-3rmj-wmp2",
  "modified": "2025-04-02T22:32:31Z",
  "published": "2019-09-13T13:25:47Z",
  "aliases": [
    "CVE-2019-1301"
  ],
  "summary": "High severity vulnerability that affects System.Management.Automation",
  "details": "# Microsoft Security Advisory CVE-2019-1301: Denial of Service Vulnerability in PowerShell Core\n\n## Executive Summary\n\nA denial of service vulnerability exists when PowerShell Core or .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a PowerShell Core scripts.\n\nThe update addresses the vulnerability by correcting how the .NET Core handles web requests.\n\nSystem administrators are advised to update PowerShell Core to an unaffected version (see [affected software](#user-content-affected-software).)\n\n\n## Discussion\n\nPlease [open a support question](https://github.com/PowerShell/PowerShell/issues/new?assignees=&labels=Issue-Question&template=Support_Question.md&title=Support+Question) to discussion the PowerShell aspects of this advisory.\nPlease use dotnet/announcements#121 for discussion of the .NET aspects this advisory.\n\n## <a name=\"affected-software\">Affected Software</a>\n\nThe vulnerability affects PowerShell Core prior to the following versions:\n\n\n| PowerShell Core Version | Fixed in          |\n|-------------------------|-------------------|\n| 6.1                     | 6.1.6               |\n| 6.2                     | 6.2.3               |\n| 7.0                     | unaffected               |\n|5                      | unaffected   |\n\n## Advisory FAQ\n\n### How do I know if I am affected?\n\nIf all of the following are true:\n\n1. Run `pwsh -v`, then, check the version in the table in [Affected Software](#user-content-affected-software) to see if your version of PowerShell Core is affected.\n1. If you are running a version of PowerShell Core where the executable is not `pwsh` or `pwsh.exe`, then you are affected.  This only existed for preview version of `6.0`.\n\n### How do I update to an unaffected version?\n\nFollow the instructions at [Installing PowerShell Core](https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-powershell?view=powershell-6) to install the latest version of PowerShell Core.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in PowerShell Core,\nplease email details to secure@microsoft.com.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the PowerShell organization.\nThis is located at https://github.com/PowerShell/.\nThe Announcements repo (https://github.com/PowerShell/Announcements)\nwill contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.\n\n### What if the update breaks my script or module?\n\nYou can uninstall the newer version of PowerShell Core and install the previous version of PowerShell Core.\nThis should be treated as a temporary measure.\nTherefore, the script or module should be updated to work with the patched version of PowerShell Core.\n\n### Acknowledgments\n\nPaul Ryman of VMware Sydney Engineering Team\n\nMicrosoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.\n\nSee [acknowledgments](https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments) for more information.\n\n### External Links\n\n[CVE-2019-1301](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1301)",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "System.Management.Automation"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.2.3"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "System.Management.Automation"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PowerShell/PowerShell/security/advisories/GHSA-62gw-3rmj-wmp2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1301"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PowerShell/PowerShell"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-62gw-3rmj-wmp2"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1301"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:17:47Z",
    "nvd_published_at": null
  }
}