HomepageOkta logo

Okta Access Gateway CVE-2021-28113

View all security advisories

Description

A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway in version 2020.8.4 and earlier allows attackers with admin access to the Okta Access Gateway UI to execute OS commands as a privileged system account.

Affected product and versions

Okta Access Gateway version 2020.8.4 and earlier

Resolution

The vulnerability is fixed in Okta Access Gateway version 2020.9.3 and newer. To remediate this vulnerability upgrade Okta Access Gateway.

CVE details

CVE ID

CVE ID

Published Date

2021-04-02

Vulnerability Type

Command Injection

CWE

CWE-77

CVSS v3

Score:6.7

Vector string:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L/E:H/RL:U/RC:C

Acknowledgements

Okta would like to thank Jeremy Brown for responsibly reporting this vulnerability.

References

  • Okta.com
  • Privacy
  • Security Advisories
  • Security Blog

© 2024 Okta, Inc. All rights reserved.