Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-01-25T19:45:41.237Z
Updated: 2024-01-25T19:45:41.237Z
Reserved: 2024-01-19T00:18:53.235Z
Link: CVE-2024-23656
JSON object: View
NVD Information
Status : Analyzed
Published: 2024-01-25T20:15:41.107
Modified: 2024-01-31T23:26:14.650
Link: CVE-2024-23656
JSON object: View
Redhat Information
No data.