CVE-2024-9191

N/A

The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered via routine penetration testing. Note: A precondition of this vulnerability is that the user must be using the Okta Device Access passwordless feature. Okta Device Access users not using passwordless are not affected, and customers only using Okta Verify on platforms other than Windows, or only using FastPass are not affected.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

缺省权限不正确

Okta Verify 安全漏洞

Okta Verify是Okta公司的一款轻量级应用程序，可让您通过两步验证安全地访问您的应用程序，确保您且只有您可以访问您的应用程序帐户。 Okta Verify 5.0.2至5.3.2版本存在安全漏洞，该漏洞源于在Windows版本中，攻击者在设备被攻破的情况下，能够检索与桌面MFA无密码登录相关的密码。

N/A

N/A