Vulnerability Description
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Dex | 2.37.0 |
Related Weaknesses (CWE)
References
- https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/Product
- https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17Patch
- https://github.com/dexidp/dex/issues/2848Issue Tracking
- https://github.com/dexidp/dex/pull/2964Issue TrackingPatch
- https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9rExploit
- https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/Product
- https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17Patch
- https://github.com/dexidp/dex/issues/2848Issue Tracking
- https://github.com/dexidp/dex/pull/2964Issue TrackingPatch
- https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9rExploit
FAQ
What is CVE-2024-23656?
CVE-2024-23656 is a vulnerability with a CVSS score of 7.5 (HIGH). Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1....
How severe is CVE-2024-23656?
CVE-2024-23656 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23656?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dex.