Lucene search

[email protected]NVD:CVE-2024-23656

HistoryJan 25, 2024 - 8:15 p.m.

CVE-2024-23656

2024-01-2520:15:41

CWE-326

CWE-757

[email protected]

web.nvd.nist.gov

dex

identity service

openid connect

authentication

insecure tls

cve-2024-23656

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

25.8%

JSON

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Affected configurations

Nvd

Node

linuxfoundationdexMatch2.37.0

VendorProductVersionCPE
linuxfoundationdex2.37.0cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linuxfoundation	dex	2.37.0	cpe:2.3:a:linuxfoundation:dex:2.37.0:::::::*

References

github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425

github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17

github.com/dexidp/dex/issues/2848

github.com/dexidp/dex/pull/2964

github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

25.8%

JSON

Related for NVD:CVE-2024-23656

osv4 cvelist1 veracode1 github1 cgr1 cve1 prion1 wolfi1