CVE-2024-23656
moderate-risk
Published 2024-01-25
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
Do I need to act?
-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Dex
Affected Vendors
References (10)
Issue Tracking
https://github.com/dexidp/dex/issues/2848
Issue Tracking
https://github.com/dexidp/dex/pull/2964
Issue Tracking
https://github.com/dexidp/dex/issues/2848
Issue Tracking
https://github.com/dexidp/dex/pull/2964
32
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal