SB2024013038 - Insecure TLS configuration in Dex
Published: January 30, 2024
Security Bulletin ID
SB2024013038
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Configuration (CVE-ID: CVE-2024-23656)
The issue may allow a remote attacker to bypass implemented security restrictions.
The issue exists due to the application discards TLSconfig and always serves TLS 1.0/1.1 along with insecure ciphers. A remote attacker can perform MitM attack and gain access to sensitive information.
Remediation
Install update from vendor's website.
References
- https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
- https://github.com/dexidp/dex/issues/2848
- https://github.com/dexidp/dex/pull/2964
- https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
- https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425