6 matches found
CVE-2024-23656
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...
CVE-2024-23656 vulnerabilities
Vulnerabilities for packages: dex...
CVE-2024-23656 vulnerabilities
Vulnerabilities for packages: dex...
CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...
CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...
CVE-2024-23656
Dex 2.37.0 serves HTTPS with TLS 1.0/1.1 and non-respected cipher suites because tlsConfig is ignored after the TLS cert reloader; minimum TLS version hardening is ineffective. This can allow eavesdropping on TLS 1.0/1.1 traffic. The issue is fixed in Dex 2.38.0.