CVE-2022-39222

Dex is an OpenID Connect identity service. Affected versions prior to 2.35.0 with public clients can have the OAuth authorization code exposed during the OIDC flow when a victim visits a malicious site. An attacker can then exchange the stolen authorization code for a token to gain access to appl...

CVE-2024-23656

Dex 2.37.0 serves HTTPS with TLS 1.0/1.1 and non-respected cipher suites because tlsConfig is ignored after the TLS cert reloader; minimum TLS version hardening is ineffective. This can allow eavesdropping on TLS 1.0/1.1 traffic. The issue is fixed in Dex 2.38.0.

CVE-2020-26290

Dex (Dexidp) is affected by CVE-2020-26290: before v2.27.0, vulnerabilities in XML encoding within the Go library could enable a signature bypass in the SAML connector. The issue has been addressed in Dex v2.27.0 by adopting the xml-roundtrip-validator from Mattermost. Affected and related adviso...

CVE-2020-27847

The CVE-2020-27847 issue is in the SAML connector of github.com/dexidp/dex, affecting Dex versions prior to 2.27.0 and enabling bypass of SAML authentication due to a flaw in Signature Validation. It impacts confidentiality, integrity, and availability. The cited mitigation is to upgrade to Dex v...