icon

We found results for “

CVE-2024-23656

Good to know:

icon

Date: January 25, 2024

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Language: Go

Severity Score

Severity Score

Weakness Type (CWE)

Inadequate Encryption Strength

CWE-326

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

CWE-757

Top Fix

icon

Upgrade Version

Upgrade to version v2.38.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us