CVE-2024-23656

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23656
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23656.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-23656
Aliases
Related
Published
2024-01-25T20:15:41Z
Modified
2025-01-15T05:08:05.090261Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

References

Affected packages

Git / github.com/dexidp/dex

Affected ranges

Type
GIT
Repo
https://github.com/dexidp/dex
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

api/v2.*

api/v2.0.0
api/v2.1.0

v2.*

v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.1
v2.1.0
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v2.15.0
v2.16.0
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.3
v2.20.0
v2.21.0
v2.22.0
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.28.1
v2.29.0
v2.3.0
v2.30.0
v2.31.0
v2.32.0
v2.33.0
v2.34.0
v2.35.0
v2.36.0
v2.37.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0