Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

dex-v2.41.1_linux_amd64

digestsha256:bdf1b97afc58a4b5696348d9f15f02654688a9620cf4ca510ff36fcbbf54a86e
vulnerabilitiescritical: 0 high: 9 medium: 1 low: 2 unspecified: 3
size38 MB
packages237
critical: 0 high: 4 medium: 0 low: 0 unspecified: 1stdlib 1.22.4 (golang)

pkg:golang/stdlib@1.22.4

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range
>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

critical: 0 high: 3 medium: 0 low: 0 unspecified: 1stdlib 1.22.5 (golang)

pkg:golang/stdlib@1.22.5

# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

critical: 0 high: 1 medium: 0 low: 0 unspecified: 1openssl 3.3.1-r3 (apk)

pkg:apk/alpine/openssl@3.3.1-r3?os_name=alpine&os_version=3.20

# Dockerfile (38:57)
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS stager

RUN mkdir -p /var/dex
RUN mkdir -p /etc/dex
COPY config.docker.yaml /etc/dex/

FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS gomplate

ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT

ENV GOMPLATE_VERSION=v4.0.1

RUN wget -O /usr/local/bin/gomplate \
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
&& chmod +x /usr/local/bin/gomplate

# For Dependabot to detect base image versions
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS alpine

high : CVE--2024--6119

Affected range<3.3.2-r0
Fixed version3.3.2-r0
EPSS Score0.04%
EPSS Percentile17th percentile
Description

unspecified : CVE--2024--9143

Affected range<3.3.2-r1
Fixed version3.3.2-r1
EPSS Score0.04%
EPSS Percentile11th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 github.com/dexidp/dex 2.41.1 (golang)

pkg:golang/github.com/dexidp/dex@2.41.1

# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex

high : CVE--2024--23656

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.06%
EPSS Percentile27th percentile
Description

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.

critical: 0 high: 0 medium: 1 low: 1 github.com/aws/aws-sdk-go 1.54.10 (golang)

pkg:golang/github.com/aws/aws-sdk-go@1.54.10

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

medium : CVE--2020--8911

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.05%
EPSS Percentile21st percentile
Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

low : CVE--2020--8912

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.04%
EPSS Percentile14th percentile
Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

critical: 0 high: 0 medium: 0 low: 1 google.golang.org/grpc 1.64.0 (golang)

pkg:golang/google.golang.org/grpc@1.64.0

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

low : GHSA--xr7q--jx4m--x55m Exposure of Sensitive Information to an Unauthorized Actor

Affected range
>=1.64.0
<1.64.1
Fixed version1.64.1
Description

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.