HomepageOkta logo

Okta Advanced Server Access Client CVE-2023-0093

View all security advisories

Description

Okta Advanced Server Access Client versions 1.13.1 through 1.68.1 are vulnerable to command injection due to the third-party library webbrowser.

Affected product and versions

Okta’s Advanced Server Access customers that have currently installed or previously had installed versions 1.13.1 through 1.68.1 of the Okta Advanced Server Access Client.

Resolution

The vulnerability is fixed in Okta Advanced Server Access Client version 1.68.2 To remediate this vulnerability, upgrade to 1.68.2 or greater.

Severity details

An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an attacker would need to phish the user to enter an attacker controlled server URL during enrollment.

CVE details

CVE ID

CVE-2023-0093

Published Date

2023-02-22

Vulnerability Type

OS Command Injection

CWE

CWE-78

CVSS v3

Score: 7.5

Vector string: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Acknowledgements

Okta would like to thank Tao Sauvage from Anvil Secure for assistance on this finding.

References

Install the Advanced Server Access client | Okta

  • Okta.com
  • Privacy
  • Security Advisories
  • Security Blog

© 2024 Okta, Inc. All rights reserved.