CVE-2024-23656: Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
(updated )
Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1.
References
- github.com/advisories/GHSA-gr79-9v6v-gc9r
- github.com/dexidp/dex
- github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go
- github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
- github.com/dexidp/dex/issues/2848
- github.com/dexidp/dex/pull/2964
- github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
- nvd.nist.gov/vuln/detail/CVE-2024-23656
Code Behaviors & Features
Detect and mitigate CVE-2024-23656 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →