CVE-2024-23656
- Reference to the description:
- Description:
- Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
- Last updated date:
- 01/31/2024
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 01/31/2024
- Reference url to background
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r