Dex is an identity service that uses... CVE-2024-23656

- AV AC AU C I A
发布: 2024-01-25
修订: 2024-01-31

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

0%
暂无可用Exp或PoC
当前有1条受影响产品信息