Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dex v 2.42.0 contains high and critical vulnerabilities #21984

Open
3 tasks
charles-horel-rogers opened this issue Feb 24, 2025 · 0 comments
Open
3 tasks

Dex v 2.42.0 contains high and critical vulnerabilities #21984

charles-horel-rogers opened this issue Feb 24, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@charles-horel-rogers
Copy link

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

Dex v 2.42.0 still has a go vulnerability present:

HIGH CVE-2024-45338 golang.org/x/net golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html Yes 0.33.0

HIGH
CVE-2024-45338
golang.org/x/net
golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
Yes
0.33.0

  Severity ID Package Title Fix Available Fixed Version  
 

Trivy is also finding numerous vulnerabilities that were patched in previous version of dex (2.27 & 2.35)
 
  | CRITICAL | CVE-2020-26290 | github.com/dexidp/dex | Critical security issues in XML encoding in github.com/dexidp/dex | Yes | 2.27.0 |  
  | CRITICAL | CVE-2020-27847 | github.com/dexidp/dex | dexidp/dex: authentication bypass in saml authentication | Yes | 2.27.0 |  
  | CRITICAL | CVE-2022-39222 | github.com/dexidp/dex | dexidp: gaining access to applications accepting that token | Yes | 2.35.0 |  
  | CRITICAL | CVE-2020-26290 | github.com/dexidp/dex | Critical security issues in XML encoding in github.com/dexidp/dex | Yes | 2.27.0 |  
  | CRITICAL | CVE-2020-27847 | github.com/dexidp/dex | dexidp/dex: authentication bypass in saml authentication | Yes | 2.27.0 |  
  | CRITICAL | CVE-2022-39222 | github.com/dexidp/dex | dexidp: gaining access to applications accepting that token | Yes | 2.35.0

CRITICAL
CVE-2020-26290
github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
Yes
2.27.0
CRITICAL
CVE-2020-27847
github.com/dexidp/dex
dexidp/dex: authentication bypass in saml authentication
Yes
2.27.0
CRITICAL
CVE-2022-39222
github.com/dexidp/dex
dexidp: gaining access to applications accepting that token
Yes
2.35.0
CRITICAL
CVE-2020-26290
github.com/dexidp/dex
Critical security issues in XML encoding in github.com/dexidp/dex
Yes
2.27.0
CRITICAL
CVE-2020-27847
github.com/dexidp/dex
dexidp/dex: authentication bypass in saml authentication
Yes
2.27.0
CRITICAL
CVE-2022-39222
github.com/dexidp/dex
dexidp: gaining access to applications accepting that token
Yes
2.35.0

To Reproduce

Expected behavior

That the latest patched version of dex contains no high/critical vulnerabilities

Screenshots

Version

Paste the output from `argocd version` here.

Logs

Paste any relevant application logs here.
@charles-horel-rogers charles-horel-rogers added the bug Something isn't working label Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@charles-horel-rogers