Zurück zur Liste

Dex: Token-exchange endpoint is missing AllowedConnectors enforcement — GHSA-7QJX-GP9H-65QJ

GitHub · GitHub · GHSA-7QJX-GP9H-65QJ

ID
GHSA-7QJX-GP9H-65QJ

Datum
2026-06-09

Activity
2026-06-09

Quelle
GitHub

Vendor
GitHub

Risiko
high

CVSS
8.7

Zusammenfassung

## Summary `server/handlers.go::handleTokenExchange` (lines 1804-1893) does not call `isConnectorAllowed(client.AllowedConnectors, connID)` before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the same field correctly. ## Affected code path `handleTokenExchange` reads `connector_id` from the request body at…

Produkt

go: github.com/dexidp/dex

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Zur offiziellen Quelle

Mehr dazu

GitHub GitHub 2026-W24

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

2026-06-15 CVE-2026-54267

highGitHub GitHub 2026-W25

aws-cdk-lib: OS Command Injection in NodejsFunction Bundling

2026-06-15 CVE-2026-11417

highGitHub GitHub 2026-W25

Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

2026-06-15 CVE-2026-50560

mediumGitHub GitHub 2026-W25

Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

2026-06-15 CVE-2026-50020

mediumGitHub GitHub 2026-W25

Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length

2026-06-15 CVE-2026-50011

highGitHub GitHub 2026-W25

Netty: Wrapping plain trust manager silently disables hostname verification

2026-06-15 CVE-2026-50010

highGitHub GitHub 2026-W25