Github.Com Dexidp Dex vulnerabilities

CVE-2024-23656 [HIGH] CWE-326 Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers ### Summary Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1. ### Details While working on https://github.com/dexidp/dex/issues/2848 and implementing configurable TLS support, I noticed my changes did not have any effect in TLS config, so I started investigating. https://github

CVE-2022-39222 [CRITICAL] CWE-200 Dex vulnerable to Man-in-the-Middle allowing ID token capture via intercepted authorization code Dex vulnerable to Man-in-the-Middle allowing ID token capture via intercepted authorization code ### Impact Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances) are affected by this vulnerability. An attacker can exploit this vulnerability by making a victim navigate to a malicious website and guiding them thr

CVE-2020-27847 [CRITICAL] CWE-228 Authentication Bypass in dex Authentication Bypass in dex A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.

CVE-2020-26290 [MEDIUM] CWE-347 Critical security issues in XML encoding in github.com/dexidp/dex Critical security issues in XML encoding in github.com/dexidp/dex ### Impact The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector: Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 `encoding/xml` instabilities: - [Element namespace prefix instability (CVE-2020-29511)](ht