Okta Advanced Server Access Client CVE-2022-1030
Description
Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has access, can execute commands on the local system.
Affected product and versions
Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0.
Resolution
The vulnerability is fixed in Okta Advanced Server Access Client for Linux and macOS version 1.58.0. To remediate this vulnerability, upgrade Okta Advanced Server Access Client for Linux and macOS.
CVE details
CVE ID | |
Published Date | 2022-03-21 |
Vulnerability Type | Command Injection |
CWE | CWE-77 |
CVSS v3 | Score:7.5 Vector string:AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Acknowledgements
Okta would like to thank David Russell and Esteban Guillardoy from the Okta Application Security Team for finding this vulnerability.
Legal Disclaimer:
The information provided in Okta’s Security Advisories is provided "as is" without warranty of any kind. Okta disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Okta or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Okta or its suppliers have been advised of the possibility of such damages. The foregoing exclusions will not apply to the extent prohibited by applicable law.