CVE-2024-23656

2024-01-2520:15:41

CWE-757

CWE-326

GitHub_M

web.nvd.nist.gov

cve-2024-23656

dex

identity service

openid connect

authentication

tls 1.0

tls 1.1

tls 1.2

cipher suites

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

25.8%

JSON

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Affected configurations

Nvd

Vulners

Node

linuxfoundationdexMatch2.37.0

VendorProductVersionCPE
linuxfoundationdex2.37.0cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linuxfoundation	dex	2.37.0	cpe:2.3:a:linuxfoundation:dex:2.37.0:::::::*

CNA Affected

[
  {
    "vendor": "dexidp",
    "product": "dex",
    "versions": [
      {
        "version": "= 2.37.0",
        "status": "affected"
      }
    ]
  }
]