ByteOS Network

NVD Vulnerability Details :

CVE-2024-23656

Analyzed

Source-security-advisories@github.com

Published At-25 Jan, 2024 | 20:15

Updated At-31 Jan, 2024 | 23:26

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Secondary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CPE Matches

The Linux Foundation

>>dex>>2.37.0

cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-326	Primary	nvd@nist.gov
CWE-326	Secondary	security-advisories@github.com
CWE-757	Secondary	security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425	security-advisories@github.com	Product
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17	security-advisories@github.com	Patch
https://github.com/dexidp/dex/issues/2848	security-advisories@github.com	Issue Tracking
https://github.com/dexidp/dex/pull/2964	security-advisories@github.com	Issue Tracking Patch
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r	security-advisories@github.com	Exploit

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History