cbcvebase.
CVE-2024-23656
published 2024-01-25

CVE-2024-23656: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1…

PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.43%
34.8th percentile
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
dexidpdex
github.comdexidp_dex>= 0 < 0.0.0-20240125115555-5bbdb44202540.0.0-20240125115555-5bbdb4420254
github.comdexidp_dex>= 2.37.0 < 2.38.02.38.0
linuxfoundationdex
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.