HomepageOkta logo

Okta Verify for Windows Auto-update Arbitrary Code Execution CVE-2024-0980

View all security advisories

Description

The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code.

Affected product and versions

Customers using Okta Verify for Windows prior to version 4.10.7 that have currently installed or previously had installed versions prior to 4.10.7 of Okta Verify for Windows.

Note: Customers using Okta Verify on platforms other than Windows are not affected.

Resolution

The vulnerability is fixed in Okta Verify for Windows version 4.10.7. To remediate this vulnerability, upgrade to 4.10.7 or greater.

CVE details

CVE ID

CVE-2024-0980

Published Date

2024-03-26

Vulnerability Type

Improper Limitation of a Pathname to a Restricted Directory, Uncontrolled Search Path or Element

CWE

CWE–22, CWE-427

CVSS v3

Score:7.1

Vector string:CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Acknowledgements

Okta would like to thank Ryan Wincey of Securifera, Inc. for providing information in addressing this vulnerability.

References

Deploy Okta Verify to Windows devices

  • Okta.com
  • Privacy
  • Security Advisories
  • Security Blog

© 2024 Okta, Inc. All rights reserved.