CVE-2024-23656: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
References
- github.com/advisories/GHSA-gr79-9v6v-gc9r
- github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go
- github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
- github.com/dexidp/dex/issues/2848
- github.com/dexidp/dex/pull/2964
- github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
- nvd.nist.gov/vuln/detail/CVE-2024-23656
Detect and mitigate CVE-2024-23656 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →