A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway in version 2020.8.4 and earlier allows attackers with admin access to the Okta Access Gateway UI to execute OS commands as a privileged system account.| Okta Trust
A vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth.| Okta Trust
A vulnerability was identified in Okta Verify for Windows, allowing retrieval of passwords associated with Desktop MFA passwordless logins in a compromised device.| Okta Trust
A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature to bypass proper authentication validation.| Okta Trust
A vulnerability was identified in specific Okta configurations whereby an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies.| Okta Trust
Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking.| Okta Trust
Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting.| Okta Trust
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code.| Okta Trust
The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution.| Okta Trust
Okta Advanced Server Access Client versions 1.13.1 through 1.68.1 are vulnerable to command injection due to the third-party library webbrowser.| Okta Trust
On November 1, 2022 the OpenSSL organization disclosed two high-severity vulnerabilities in version 3.0 and above which are patched in OpenSSL 3.0.7. Okta has investigated the usage of the vulnerabilities and will continue to assess the potential impact to our dependencies and third parties. Okta Access Gateway has been found to use the OpenSSL 3.0 codebase since the release of 2022.10.0. Customers that have not yet updated to 2022.10.0 should refrain from updating to 2022.10.0 which cont...| Okta Trust
Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed the Okta AD Agent Update Service using an unquoted path.| Okta Trust
Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has access, can execute commands on the local system.| Okta Trust
Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.| Okta Trust
Apache Log4j2 2.16.0, as used in Okta RADIUS Server Agent 2.17.1 and lower, did not protect from uncontrolled recursion from self-referential lookups. While Okta found no evidence that this agent was impacted, due to the lack of preconditions that must exist for this vulnerability to be exploitable, we have released an updated version of the agent. The new version includes Log4j 2.17.0, which fixes this issue.| Okta Trust
Apache Log4j2 2.15.0, as used in Okta On-Prem MFA Agent 1.4.6 (formerly Okta RSA SecurID Agent), contained an incomplete fix for CVE-2021-44228, which could allow attackers under certain conditions to craft malicious input data, resulting in a denial of service (DOS) attack. The new version includes Log4j 2.16.0 which fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.| Okta Trust
Apache Log4j2 2.15.0, as used in Okta RADIUS Server Agent 2.17.0, contained an incomplete fix for CVE-2021-44228, which could allow attackers under certain conditions to craft malicious input data, resulting in a denial of service (DOS) attack. The new version includes Log4j 2.16.0 which fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.| Okta Trust
Apache Log4j2 <=2.14.1, as used in Okta On-Prem MFA Agent (formerly Okta RSA SecurID Agent) prior to 1.4.6, does not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.| Okta Trust
Apache Log4j2 <=2.14.1, as used in Okta RADIUS Server Agent prior to 2.17.0, does not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.| Okta Trust
Apache Log4j2 2.16.0, as used in Okta On-Prem MFA Agent 1.4.7 and lower (formerly Okta RSA SecurID Agent), did not protect from uncontrolled recursion from self-referential lookups. While Okta found no evidence that this agent was impacted, due to the lack of preconditions that must exist for this vulnerability to be exploitable, we have released an updated version of the agent. The new version includes Log4j 2.17.0, which fixes this issue.| Okta Trust
Description| trust.okta.com