CVE-2024-23656

HIGH

Dex <2.38.0 - SSL/TLS

Title source: llm

Description

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

References (5)

[Exploit] https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r

[Issue Tracking] https://github.com/dexidp/dex/issues/2848

[Issue Tracking, Patch] https://github.com/dexidp/dex/pull/2964

[Patch] https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17

View Patch ZIP pw:eip

[Product] https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 46.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-757 CWE-326

Status published

Products (2)

dexidp/dex 2.37.0 - 2.38.0Go

linuxfoundation/dex 2.37.0

Published Jan 25, 2024

Tracked Since Feb 18, 2026