DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-23656

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-23656

CGA ID

CGA-jmwf-rpp8-m7fh

Severity

7.5

High

CVSS V3

Description

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

References

Affected packages


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images