Okta Verify for Windows Auto-update Arbitrary Code Execution CVE-2024-0980
Description
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code.
Affected product and versions
Customers using Okta Verify for Windows prior to version 4.10.7 that have currently installed or previously had installed versions prior to 4.10.7 of Okta Verify for Windows.
Note: Customers using Okta Verify on platforms other than Windows are not affected.
Resolution
The vulnerability is fixed in Okta Verify for Windows version 4.10.7. To remediate this vulnerability, upgrade to 4.10.7 or greater.
CVE details
| CVE ID | CVE-2024-0980 |
| Published Date | 2024-03-26 |
| Vulnerability Type | Improper Limitation of a Pathname to a Restricted Directory, Uncontrolled Search Path or Element |
| CWE | CWE–22, CWE-427 |
| CVSS v3 | Score:7.1 Vector string:CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Acknowledgements
Okta would like to thank Ryan Wincey of Securifera, Inc. for providing information in addressing this vulnerability.