CVE-2024-23656 - OpenCVE

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linuxfoundation	Dex

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
https://github.com/dexidp/dex/issues/2848
https://github.com/dexidp/dex/pull/2964
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-25T19:45:41.237Z

Updated: 2024-08-01T23:06:25.321Z

Reserved: 2024-01-19T00:18:53.235Z

Link: CVE-2024-23656

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-25T20:15:41.107

Modified: 2024-01-31T23:26:14.650

Link: CVE-2024-23656

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23656", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-19T00:18:53.235Z", "datePublished": "2024-01-25T19:45:41.237Z", "dateUpdated": "2024-08-01T23:06:25.321Z"}, "containers": {"cna": {"title": "Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers", "problemTypes": [{"descriptions": [{"cweId": "CWE-326", "lang": "en", "description": "CWE-326: Inadequate Encryption Strength", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-757", "lang": "en", "description": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r"}, {"name": "https://github.com/dexidp/dex/issues/2848", "tags": ["x_refsource_MISC"], "url": "https://github.com/dexidp/dex/issues/2848"}, {"name": "https://github.com/dexidp/dex/pull/2964", "tags": ["x_refsource_MISC"], "url": "https://github.com/dexidp/dex/pull/2964"}, {"name": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17", "tags": ["x_refsource_MISC"], "url": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17"}, {"name": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425", "tags": ["x_refsource_MISC"], "url": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425"}], "affected": [{"vendor": "dexidp", "product": "dex", "versions": [{"version": "= 2.37.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-25T19:45:41.237Z"}, "descriptions": [{"lang": "en", "value": "Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0."}], "source": {"advisory": "GHSA-gr79-9v6v-gc9r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.321Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r"}, {"name": "https://github.com/dexidp/dex/issues/2848", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dexidp/dex/issues/2848"}, {"name": "https://github.com/dexidp/dex/pull/2964", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dexidp/dex/pull/2964"}, {"name": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17"}, {"name": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:dex:2.37.0:*:*:*:*:*:*:*", "matchCriteriaId": "CFFADC7B-A8BE-437B-B1A8-868ECD4ED5E9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0."}, {"lang": "es", "value": "Dex es un servicio de identidad que utiliza OpenID Connect para impulsar la autenticaci\u00f3n de otras aplicaciones. Dex 2.37.0 sirve HTTPS con TLS 1.0 y TLS 1.1 inseguros. La l\u00ednea 425 de `cmd/dex/serve.go` aparentemente establece TLS 1.2 como versi\u00f3n m\u00ednima, pero el `tlsConfig` completo se ignora despu\u00e9s de que se introdujo el `TLS cert reloader` en v2.37.0. Tampoco se respetan los conjuntos de cifrado configurados. Este problema se solucion\u00f3 en Dex 2.38.0."}], "id": "CVE-2024-23656", "lastModified": "2024-01-31T23:26:14.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-25T20:15:41.107", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/dexidp/dex/issues/2848"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/dexidp/dex/pull/2964"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-326"}, {"lang": "en", "value": "CWE-757"}], "source": "security-advisories@github.com", "type": "Secondary"}]}