PT-2023-16008 · Okta · Okta Advanced Server Access Client
Tao Sauvage
·
Published
2023-03-06
·
Updated
2023-03-13
·
CVE-2023-0093
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Okta Advanced Server Access Client versions 1.13.1 through 1.65.0
Description
The issue is related to command injection due to an outdated third-party library called
webbrowser. This library is used by the Okta Advanced Server Access Client. To exploit this issue, an attacker would need to phish the user into entering an attacker-controlled server URL during enrollment.Recommendations
For Okta Advanced Server Access Client versions 1.13.1 through 1.65.0, consider updating to a version that includes an updated
webbrowser library to prevent command injection attacks. As a temporary workaround, restrict user enrollment to trusted server URLs to minimize the risk of exploitation.Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Okta Advanced Server Access Client