CVE-2022-24295: 
Okta Advanced Server Access Client vulnerability analysis and mitigation

Okta Advanced Server Access Client for Windows prior to version 1.57.0 was identified with a command injection vulnerability (CVE-2022-24295) that could be exploited through a specially crafted URL. The vulnerability was disclosed on February 17, 2022, affecting the Windows version of the Okta Advanced Server Access Client (Okta Advisory).

The vulnerability is classified as a Remote Code Execution (RCE) vulnerability, specifically a command injection flaw (CWE-94). According to the CVSS v3 scoring system, it received a high severity score of 8.8 with the following vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network exploitable, requires low attack complexity, needs no privileges, but does require user interaction (Okta Advisory).

The vulnerability's high CVSS score of 8.8 indicates severe potential impacts, with possible compromises to confidentiality, integrity, and availability of the affected systems. As a command injection vulnerability, successful exploitation could allow attackers to execute arbitrary commands on the target system (Okta Advisory).

Okta has released version 1.57.0 of the Advanced Server Access Client for Windows to address this vulnerability. Users are advised to upgrade to this version or later to remediate the security risk (Okta Advisory).

The vulnerability was discovered and reported by Andreas Lindh at Recurity Labs, demonstrating collaborative security research efforts between Okta and security partners (Okta Advisory).