-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
x/vulndb: potential Go vuln in github.com/dexidp/dex: CVE-2024-23656 #2476
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
tatianab
added
the
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
label
Jan 31, 2024
Change https://go.dev/cl/560816 mentions this issue: |
Change https://go.dev/cl/592778 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 28, 2024
- data/reports/GO-2024-2521.yaml - data/reports/GO-2024-2434.yaml - data/reports/GO-2024-2537.yaml - data/reports/GO-2024-2432.yaml - data/reports/GO-2024-2483.yaml - data/reports/GO-2024-2480.yaml - data/reports/GO-2024-2433.yaml - data/reports/GO-2024-2530.yaml - data/reports/GO-2024-2556.yaml - data/reports/GO-2024-2472.yaml - data/reports/GO-2024-2540.yaml - data/reports/GO-2024-2560.yaml - data/reports/GO-2024-2561.yaml - data/reports/GO-2024-2590.yaml - data/reports/GO-2024-2428.yaml - data/reports/GO-2024-2508.yaml - data/reports/GO-2024-2592.yaml - data/reports/GO-2024-2511.yaml - data/reports/GO-2024-2491.yaml - data/reports/GO-2024-2479.yaml - data/reports/GO-2024-2509.yaml - data/reports/GO-2024-2589.yaml - data/reports/GO-2024-2496.yaml - data/reports/GO-2024-2505.yaml - data/reports/GO-2024-2558.yaml - data/reports/GO-2024-2430.yaml - data/reports/GO-2024-2594.yaml - data/reports/GO-2024-2431.yaml - data/reports/GO-2024-2488.yaml - data/reports/GO-2024-2495.yaml - data/reports/GO-2024-2557.yaml - data/reports/GO-2024-2442.yaml - data/reports/GO-2024-2593.yaml - data/reports/GO-2024-2512.yaml - data/reports/GO-2024-2528.yaml - data/reports/GO-2024-2529.yaml - data/reports/GO-2024-2588.yaml - data/reports/GO-2024-2562.yaml - data/reports/GO-2024-2441.yaml - data/reports/GO-2024-2591.yaml - data/reports/GO-2024-2477.yaml - data/reports/GO-2024-2448.yaml - data/reports/GO-2024-2510.yaml - data/reports/GO-2024-2564.yaml - data/reports/GO-2024-2476.yaml - data/reports/GO-2024-2527.yaml - data/reports/GO-2024-2481.yaml - data/reports/GO-2024-2445.yaml - data/reports/GO-2024-2457.yaml - data/reports/GO-2024-2446.yaml - data/reports/GO-2024-2447.yaml - data/reports/GO-2024-2501.yaml - data/reports/GO-2024-2440.yaml - data/reports/GO-2024-2500.yaml - data/reports/GO-2024-2444.yaml - data/reports/GO-2024-2550.yaml - data/reports/GO-2024-2523.yaml - data/reports/GO-2024-2516.yaml - data/reports/GO-2024-2531.yaml - data/reports/GO-2024-2595.yaml - data/reports/GO-2024-2520.yaml - data/reports/GO-2024-2582.yaml - data/reports/GO-2024-2485.yaml - data/reports/GO-2024-2541.yaml - data/reports/GO-2024-2563.yaml - data/reports/GO-2024-2532.yaml - data/reports/GO-2024-2450.yaml - data/reports/GO-2024-2515.yaml - data/reports/GO-2024-2499.yaml - data/reports/GO-2024-2514.yaml - data/reports/GO-2024-2535.yaml - data/reports/GO-2024-2458.yaml - data/reports/GO-2024-2449.yaml - data/reports/GO-2024-2549.yaml - data/reports/GO-2024-2517.yaml - data/reports/GO-2024-2478.yaml - data/reports/GO-2024-2559.yaml - data/reports/GO-2024-2486.yaml - data/reports/GO-2024-2513.yaml - data/reports/GO-2024-2565.yaml Updates #2521 Updates #2434 Updates #2537 Updates #2432 Updates #2483 Updates #2480 Updates #2433 Updates #2530 Updates #2556 Updates #2472 Updates #2540 Updates #2560 Updates #2561 Updates #2590 Updates #2428 Updates #2508 Updates #2592 Updates #2511 Updates #2491 Updates #2479 Updates #2509 Updates #2589 Updates #2496 Updates #2505 Updates #2558 Updates #2430 Updates #2594 Updates #2431 Updates #2488 Updates #2495 Updates #2557 Updates #2442 Updates #2593 Updates #2512 Updates #2528 Updates #2529 Updates #2588 Updates #2562 Updates #2441 Updates #2591 Updates #2477 Updates #2448 Updates #2510 Updates #2564 Updates #2476 Updates #2527 Updates #2481 Updates #2445 Updates #2457 Updates #2446 Updates #2447 Updates #2501 Updates #2440 Updates #2500 Updates #2444 Updates #2550 Updates #2523 Updates #2516 Updates #2531 Updates #2595 Updates #2520 Updates #2582 Updates #2485 Updates #2541 Updates #2563 Updates #2532 Updates #2450 Updates #2515 Updates #2499 Updates #2514 Updates #2535 Updates #2458 Updates #2449 Updates #2549 Updates #2517 Updates #2478 Updates #2559 Updates #2486 Updates #2513 Updates #2565 Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2024-23656 references github.com/dexidp/dex, which may be a Go module.
Description:
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1.
cmd/dex/serve.go
line 425 seemingly sets TLS 1.2 as minimum version, but the wholetlsConfig
is ignored afterTLS cert reloader
was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: