CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

2024-01-2519:45:41

CWE-326

CWE-757

GitHub_M

www.cve.org

cve-2024-23656

dex

tls configuration

tls 1.0

tls 1.1

cipher suites

dex 2.37.0

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

25.8%

JSON

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

CNA Affected

[
  {
    "vendor": "dexidp",
    "product": "dex",
    "versions": [
      {
        "version": "= 2.37.0",
        "status": "affected"
      }
    ]
  }
]