CVE-2025-7371

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-7371
Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions >=2.2.1 and <= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions.

6.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://help.okta.com/oie/en-us/content/topics/settings/version_histories/ver_history_opp_agent.htm
Configurations

No configuration.

History

25 Jul 2025, 15:29

Type Values Removed Values Added
Summary
  • (es) Los agentes de Okta On-Premises Provisioning (OPP) registran ciertos datos de usuario durante los restablecimientos de contraseña iniciados por el administrador. Esta vulnerabilidad permite a un atacante con acceso a los servidores locales que ejecutan agentes OPP recuperar información personal del usuario y contraseñas temporales creadas durante el restablecimiento de contraseña. Esta vulnerabilidad afecta a los usuarios si se cumplen las siguientes condiciones: el servidor local ejecuta el agente OPP con versiones anteriores a la 2.2.1 y anteriores a la 2.3.0, y la cuenta de usuario ha sido restablecida por el administrador mientras utilizaba las versiones afectadas.

22 Jul 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-22 16:15

Updated : 2025-07-25 15:29

NVD link : CVE-2025-7371

Mitre link : CVE-2025-7371

CVE.ORG link : CVE-2025-7371

JSON object : View

Products Affected

No product.

CWE
CWE-532

Insertion of Sensitive Information into Log File