CVE-2022-39222

Name of the Vulnerable Software and Affected Versions Dex versions prior to 2.35.0

Description Dex is an identity service that uses OpenID Connect to drive authentication for other apps. An attacker can exploit this issue by making a victim navigate to a malicious website and guiding them through the OIDC flow, stealing the OAuth authorization code in the process. The authorization code can then be exchanged for a token, gaining access to applications accepting that token.

Recommendations For versions prior to 2.35.0, update to version 2.35.0 to resolve the issue. As a temporary workaround, consider disabling public clients to minimize the risk of exploitation. Note that disabling public clients may impact behavior. There are no known workarounds for existing versions without impacting behavior.