Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NLinuxfoundation Dex
APPLinuxfoundation2.37.0
Powiązane podatności
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex instances with...
A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signatu...
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set...
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 t...
CloudNativePG: eskalacja uprawnień do superużytkownika PostgreSQL przez metrics exporter