CVE-2024-23656 — Inadequate Encryption Strength in Dexidp DEX

CWE-326 — Inadequate Encryption Strength CWE-757 — Algorithm Downgrade5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Dexidp DEX Dexidp DEX Linuxfoundation DEX

Timeline

PublishedJan 25

Latest updateJun 28

Description

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/dexidp_dex2.37.0 — 2.38.0+1

▶CVEListV5dexidp/dex= 2.37.0

▶NVDlinuxfoundation/dex2.37.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex↗2024-06-28

▶

OSV

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers↗2024-01-26

▶

GHSA

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers↗2024-01-26

▶

CVEList

Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers↗2024-01-25

▶