Main Vulnerability Database Vulnerabilities #VU85912

#VU85912 Configuration in Dex - CVE-2024-23656

Published: January 30, 2024

Vulnerability identifier: #VU85912

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-23656

CWE-ID: CWE-16

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Dex

Software vendor:
Dex IdP

Description

The issue may allow a remote attacker to bypass implemented security restrictions.

The issue exists due to the application discards TLSconfig and always serves TLS 1.0/1.1 along with insecure ciphers. A remote attacker can perform MitM attack and gain access to sensitive information.

Remediation

Install updates from vendor's website.

External links

https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
https://github.com/dexidp/dex/issues/2848
https://github.com/dexidp/dex/pull/2964
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425

#VU85912 Configuration in Dex - CVE-2024-23656

Description

Remediation

External links

Please verify you're human