CVE Vulnerabilities

CVE-2024-23656

Inadequate Encryption Strength

Published: Jan 25, 2024 | Modified: Jan 31, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Weakness

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Affected Software

Name Vendor Start Version End Version
Dex Linuxfoundation 2.37.0 2.37.0

Potential Mitigations

References