HomepageOkta logo

Okta Advanced Server Access Client CVE-2023-0093

View all security advisories

Description

Okta Advanced Server Access Client versions 1.13.1 through 1.68.1 are vulnerable to command injection due to the third-party library webbrowser.

Affected product and versions

Okta’s Advanced Server Access customers that have currently installed or previously had installed versions 1.13.1 through 1.68.1 of the Okta Advanced Server Access Client.

Resolution

The vulnerability is fixed in Okta Advanced Server Access Client version 1.68.2 To remediate this vulnerability, upgrade to 1.68.2 or greater.

 

Severity details

An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an attacker would need to phish the user to enter an attacker controlled server URL during enrollment.

CVE details

CVE IDCVE-2023-0093
Published Date2023-02-22
Vulnerability TypeOS Command Injection
CWECWE-78
CVSS v3

Score: 7.5

Vector string: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Acknowledgements

Okta would like to thank Tao Sauvage from Anvil Secure for assistance on this finding.