CVE-2024-23656
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-23656
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23656.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-23656
- Aliases
- Related
- Published
- 2024-01-25T20:15:41Z
- Modified
- 2025-01-15T05:08:05.090261Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1.
cmd/dex/serve.goline 425 seemingly sets TLS 1.2 as minimum version, but the wholetlsConfigis ignored afterTLS cert reloaderwas introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0. - References
-
- https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
- https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
- https://github.com/dexidp/dex/pull/2964
- https://github.com/dexidp/dex/issues/2848
- https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
Affected packages
Git / github.com/dexidp/dex
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dexidp/dex
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
api/v2.*
api/v2.0.0
api/v2.1.0
v2.*
v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.1
v2.1.0
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v2.15.0
v2.16.0
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.3
v2.20.0
v2.21.0
v2.22.0
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.28.1
v2.29.0
v2.3.0
v2.30.0
v2.31.0
v2.32.0
v2.33.0
v2.34.0
v2.35.0
v2.36.0
v2.37.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.8.0
v2.9.0