Headline
CVE-2023-0392: Okta LDAP Agent CVE-2023-0392 | Okta
The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution.
Description
The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution.
Affected product and versions
Okta’s LDAP Agent customers that have currently installed or previously had installed versions prior to 5.18 of the Okta LDAP Agent.
Resolution
The vulnerability is fixed in Okta LDAP Agent version 5.18. To remediate this vulnerability, upgrade to 5.18 or greater.
Severity details
The LDAP Agent Update service makes use of an unquoted path. A user with sufficiently high privileges, normally an administrator, could place an arbitrary executable into a portion of the path, which would cause it to be run the next time the agent starts.
CVE details
CVE ID
CVE-2023-0392
Published Date
2023-09-19
Vulnerability Type
Unquoted Search Path or Element
CWE
CWE-428
CVSS v3
Score:3.9
Vector string:CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L