CVE-2024-23656

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-326
View all →

Vulnerability Description

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Related Vulnerabilities

CVE-2002-1697

HIGH
CVSS:7.5(High)

Electronic Code Book (ECB) mode in VTun 2.0 through 2.5 uses a weak encryption algorithm that produces the same ciphertext from the same plaintext blocks, which could allow remote attackers to gain se...

CWE-3262002

CVE-2002-1872

HIGH
CVSS:7.5(High)

Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.

CWE-3262002

CVE-2002-1910

HIGH
CVSS:7.5(High)

Click2Learn Ingenium Learning Management System 5.1 and 6.1 uses weak encryption for passwords (reversible algorithm), which allows attackers to obtain passwords.

CWE-3262002

CVE-2004-2172

HIGH
CVSS:7.5(High)

EarlyImpact ProductCart uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via a chosen plaintext attack.

CWE-3262004

CVE-2005-2281

HIGH
CVSS:7.5(High)

WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.

CWE-3262005

CVE-2011-3629

HIGH
CVSS:7.5(High)

Joomla! core 1.7.1 allows information disclosure due to weak encryption

CWE-3262011