High severity7.5NVD Advisory· Published Jan 25, 2024· Updated Jun 17, 2026
CVE-2024-23656
CVE-2024-23656
Description
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dexidp/dexGo | >= 2.37.0, < 2.38.0 | 2.38.0 |
github.com/dexidp/dexGo | < 0.0.0-20240125115555-5bbdb4420254 | 0.0.0-20240125115555-5bbdb4420254 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/dexpkg:apk/chainguard/dex-iamguarded-compatpkg:apk/wolfi/dexpkg:apk/wolfi/dex-iamguarded-compatpkg:golang/github.com/dexidp/dex
< 2.38.0-r0+ 4 more
- (no CPE)range: < 2.38.0-r0
- (no CPE)range: < 2.38.0-r0
- (no CPE)range: < 2.38.0-r0
- (no CPE)range: < 2.38.0-r0
- (no CPE)range: >= 2.37.0, < 2.38.0
Patches
Vulnerability mechanics
References
7- github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17nvdPatchWEB
- github.com/dexidp/dex/pull/2964nvdIssue TrackingPatchWEB
- github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9rnvdExploitWEB
- github.com/advisories/GHSA-gr79-9v6v-gc9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23656ghsaADVISORY
- github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.gonvdProductWEB
- github.com/dexidp/dex/issues/2848nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.