Okta LDAP Agent CVE-2023-0392
Description
The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution.
Affected product and versions
Okta’s LDAP Agent customers that have currently installed or previously had installed versions prior to 5.18 of the Okta LDAP Agent.
Resolution
The vulnerability is fixed in Okta LDAP Agent version 5.18. To remediate this vulnerability, upgrade to 5.18 or greater.
Severity details
The LDAP Agent Update service makes use of an unquoted path. A user with sufficiently high privileges, normally an administrator, could place an arbitrary executable into a portion of the path, which would cause it to be run the next time the agent starts.
CVE details
| CVE ID | CVE-2023-0392 |
| Published Date | 2023-09-19 |
| Vulnerability Type | Unquoted Search Path or Element |
| CWE | CWE-428 |
| CVSS v3 | Score:3.9 Vector string:CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L |