CVE-2022-39222: 
NixOS vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2022-39222) was discovered in Dex, affecting versions 2.34.0 and earlier. The vulnerability was disclosed on October 3, 2022, and patched in version 2.35.0. This vulnerability affects Dex instances with public clients and by extension, clients accepting tokens issued by those Dex instances (Dex Advisory).

The vulnerability has a CVSS v3.1 base score of 9.3 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. The vulnerability stems from a backchannel attack that allows an attacker to fetch an ID token through an intercepted authorization code. The issue occurs during the OpenID Connect (OIDC) flow where the request ID used to look up OAuth codes was predictable (Dex Advisory).

When successfully exploited, an attacker can gain unauthorized access to applications accepting tokens issued by vulnerable Dex instances. The vulnerability allows attackers to obtain OAuth authorization codes which can be exchanged for valid ID tokens, potentially compromising the security of connected applications and services (Dex Advisory).

The vulnerability was patched in Dex version 2.35.0 by implementing message authentication using an HMAC with a randomly generated per-request secret. For unpatched versions, the only effective workaround is disabling public clients. Organizations using affected versions should upgrade to version 2.35.0 or later (Dex Advisory, Red Hat Advisory).