CVE-2024-23656

Опубликовано: 25 янв. 2024

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Ссылки

https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
Product
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
Patch
https://github.com/dexidp/dex/issues/2848
Issue Tracking
https://github.com/dexidp/dex/pull/2964
Issue Tracking
Patch
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
Exploit
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
Product
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
Patch
https://github.com/dexidp/dex/issues/2848
Issue Tracking
https://github.com/dexidp/dex/pull/2964
Issue Tracking
Patch
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
Exploit

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:*

EPSS

Процентиль: 40%

0.00182

Низкий

7.5 High

CVSS3

Дефекты

CWE-326

Связанные уязвимости

CVE-2024-23656

CVSS3: 7.5

debian

около 2 лет назад

Dex is an identity service that uses OpenID Connect to drive authentic ...

GHSA-gr79-9v6v-gc9r

CVSS3: 7.5

github

около 2 лет назад

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

EPSS

Процентиль: 40%

0.00182

Низкий

7.5 High

CVSS3

Дефекты

CWE-326