VYPR
High severity7.5NVD Advisory· Published Jan 25, 2024· Updated Jun 17, 2026

CVE-2024-23656

CVE-2024-23656

Description

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/dexidp/dexGo
>= 2.37.0, < 2.38.02.38.0
github.com/dexidp/dexGo
< 0.0.0-20240125115555-5bbdb44202540.0.0-20240125115555-5bbdb4420254

Affected products

6

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.