HomepageOkta logo

Okta Active Directory Agent CVE-2022-1697

View all security advisories


Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed the Okta AD Agent Update Service using an unquoted path.

Affected product and versions

Okta customers that have currently installed or previously had installed versions 3.8.0, 3.9.0, 3.10.0, and 3.11.0 of Okta Active Directory Agent.


The vulnerability is resolved in Okta Active Directory Agent version 3.12.0.  The Okta AD Agent Update Service is not capable of deploying all security enhancements that are introduced in version 3.12.0. To remediate this vulnerability, you must uninstall Okta Active Directory Agent and reinstall Okta Active Directory Agent 3.12.0 or greater per the documentation.


Severity details

To exploit this issue, a local attacker would need to have Administrator and local access to the Active Directory hosts where this agent is installed. The attacker would then need to determine if the vulnerable configuration exists and the unquoted path. Administrator privileges would be required to introduce malicious software into the unquoted path.

CVE details

CVE IDCVE-2022-1697
Published Date2022-09-01
Vulnerability TypeUnquoted Search Path or Element


Vector string:AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L