Inadequate Encryption Strength
CVE-2024-23656
Summary
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex version 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. "cmd/dex/serve.go" line 425 seemingly sets TLS 1.2 as the minimum version, but the whole "tlsConfig" is ignored after "TLS cert reloader". Configured cipher suites are not respected either.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-326 - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
References
Advisory Timeline
- Published
