Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
References
Configurations
History
21 Nov 2024, 08:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 - Product | |
References | () https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17 - Patch | |
References | () https://github.com/dexidp/dex/issues/2848 - Issue Tracking | |
References | () https://github.com/dexidp/dex/pull/2964 - Issue Tracking, Patch | |
References | () https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r - Exploit |
31 Jan 2024, 23:26
Type | Values Removed | Values Added |
---|---|---|
CWE | ||
References | () https://github.com/dexidp/dex/issues/2848 - Issue Tracking | |
References | () https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17 - Patch | |
References | () https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 - Product | |
References | () https://github.com/dexidp/dex/pull/2964 - Issue Tracking, Patch | |
References | () https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r - Exploit | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:* |
25 Jan 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-25 20:15
Updated : 2024-11-21 08:58
NVD link : CVE-2024-23656
Mitre link : CVE-2024-23656
CVE.ORG link : CVE-2024-23656
JSON object : View
Products Affected
linuxfoundation
- dex