CVE-2024-23656: 
NixOS vulnerability analysis and mitigation

Dex 2.37.0, an identity service that uses OpenID Connect for authentication, contains a security vulnerability where it serves HTTPS with insecure TLS 1.0 and TLS 1.1 protocols. The vulnerability was discovered in January 2024 and affects version 2.37.0 of the software. The issue arises because the TLS configuration is ignored after the TLS cert reloader was introduced, causing the system to fall back to insecure protocols (GitHub Advisory).

The vulnerability stems from a code issue in cmd/dex/serve.go line 425, where although TLS 1.2 is set as the minimum version, the entire TLS configuration is discarded after the 'TLS cert reloader' feature was introduced in version 2.37.0. This results in the server accepting connections using deprecated TLS 1.0 and TLS 1.1 protocols, along with insecure cipher suites. The vulnerability has been assigned a CVSS score of 7.5 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows attackers to potentially decrypt TLS 1.0 and TLS 1.1 connections to Dex, compromising the confidentiality of the traffic. This is particularly concerning as Dex handles authentication services, potentially exposing sensitive authentication data to unauthorized access (GitHub Advisory).

The vulnerability has been fixed in Dex version 2.38.0. Users should upgrade to this version to ensure their systems are protected. The fix ensures proper implementation of TLS configuration and disables the insecure TLS 1.0 and 1.1 protocols (GitHub Advisory).