Headline
CVE-2022-24295: Okta Advanced Server Access Client CVE-2022-24295
Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.
Description
Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.
Affected product and versions
Okta Advanced Server Access Client for Windows prior to version 1.57.0.
Resolution
The vulnerability is fixed in Okta Advanced Server Access Client for Windows version 1.57.0. To remediate this vulnerability, upgrade Okta Advanced Server Access Client for Windows.
CVE details
CVE ID
Published Date
February 17, 2022
Vulnerability Type
Remote Code Execution
CWE
CWE-94
CVSS v3
Score:8.1
Vector string:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Acknowledgements
Okta would like to thank their partner Recurity Labs for assistance on this finding.
Okta’s priority is always platform security and customer trust. Okta’s vulnerability management program uses a variety of methods to identify and fix security issues. When we score vulnerabilities we leverage the CVSS version 3.1 framework.
Legal Disclaimer:
The information provided in Okta’s Security Advisories is provided “as is” without warranty of any kind. Okta disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Okta or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Okta or its suppliers have been advised of the possibility of such damages. The foregoing exclusions will not apply to the extent prohibited by applicable law.