CVE-2024-23656: Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

7.5 CVSS

Description

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Classification

CVE ID: CVE-2024-23656

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-326: Inadequate Encryption Strength CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Affected Products

Vendor: dexidp

Product: dex

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.13% (probability of being exploited)

EPSS Percentile: 34.36% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23656
https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
https://github.com/dexidp/dex/issues/2848
https://github.com/dexidp/dex/pull/2964
https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425

Timeline

2025-06-03 19:40:22 UTC
CVE

Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers