Lucene search
K

6 matches found

NVD
NVD
added 2024/01/25 8:15 p.m.47 views

CVE-2024-23656

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

7.5CVSS7.4AI score0.00435EPSS
Exploits1References5
Chainguard
Chainguard
added 2024/01/25 8:15 p.m.48 views

CVE-2024-23656 vulnerabilities

Vulnerabilities for packages: dex...

7.5CVSS7.1AI score0.00435EPSS
Exploits1
Wolfi
Wolfi
added 2024/01/25 8:15 p.m.19 views

CVE-2024-23656 vulnerabilities

Vulnerabilities for packages: dex...

7.5CVSS7.5AI score0.00435EPSS
Exploits1
Cvelist
Cvelist
added 2024/01/25 7:45 p.m.59 views

CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

7.5CVSS7.6AI score0.00435EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2024/01/25 7:45 p.m.7 views

CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

7.5CVSS7.4AI score0.00435EPSS
Exploits1References5
CVE
CVE
added 2024/01/25 7:45 p.m.336 views

CVE-2024-23656

Dex 2.37.0 serves HTTPS with TLS 1.0/1.1 and non-respected cipher suites because tlsConfig is ignored after the TLS cert reloader; minimum TLS version hardening is ineffective. This can allow eavesdropping on TLS 1.0/1.1 traffic. The issue is fixed in Dex 2.38.0.

7.5CVSS7.3AI score0.00435EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder