CVE-2024-23656
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| dexidp | dex | = 2.37.0 | affected |
Weaknesses
- CWE-326: CWE-326: Inadequate Encryption Strength
- CWE-757: CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
- https://github.com/dexidp/dex/issues/2848
- https://github.com/dexidp/dex/pull/2964
- https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
- https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
- https://github.com/dexidp/dex/issues/2848
- https://github.com/dexidp/dex/pull/2964
- https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
- https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.