Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-23656

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Published

2024-01-25T20:15:41.107

Last Modified

2024-11-21T08:58:06.240

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-326
CWE-757
Type: Primary
CWE-326

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linuxfoundation	dex	2.37.0	Yes

References

https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 Product ([email protected])
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17 Patch ([email protected])
https://github.com/dexidp/dex/issues/2848 Issue Tracking ([email protected])
https://github.com/dexidp/dex/pull/2964 Issue Tracking, Patch ([email protected])
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r Exploit ([email protected])
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dexidp/dex/issues/2848 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dexidp/dex/pull/2964 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r Exploit (af854a3a-2127-422b-91ae-364da2661108)