CVE-2024-23656

Name of the Vulnerable Software and Affected Versions Dex version 2.37.0

Description Dex is an identity service that uses OpenID Connect to drive authentication for other apps. The issue arises from Dex serving HTTPS with insecure TLS 1.0 and TLS 1.1. The tlsConfig is ignored after the introduction of the "TLS cert reloader" in version 2.37.0, causing configured cipher suites to not be respected. This allows TLS 1.0 and TLS 1.1 connections to be decrypted by an attacker, potentially exposing traffic to Dex. The issue is fixed in Dex version 2.38.0.

Recommendations For Dex version 2.37.0, update to version 2.38.0 to resolve the issue. As a temporary workaround, consider disabling the use of TLS 1.0 and TLS 1.1 until a patch is available. Restrict access to the vulnerable cmd/dex/serve.go module to minimize the risk of exploitation. Avoid using insecure cipher suites in the affected API endpoints until the issue is resolved.