CVE-2014-2685

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://framework.zend.com/security/advisory/ZF2014-02	Vendor Advisory
http://seclists.org/oss-sec/2014/q2/0
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072
http://advisories.mageia.org/MGASA-2014-0151.html
http://www.securityfocus.com/bid/66358
http://www.debian.org/security/2015/dsa-3265

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zend:zend_framework:1.9.7:::::::*
	cpe:2.3:a:zend:zend_framework:1.9.6:::::::*
	cpe:2.3:a:zend:zend_framework:1.9.0:rc1::::::
	cpe:2.3:a:zend:zend_framework:1.9.0:b1::::::
	cpe:2.3:a:zend:zend_framework:1.8.1:::::::*
	cpe:2.3:a:zend:zend_framework:1.8.0:b1::::::
	cpe:2.3:a:zend:zend_framework:1.7.5:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.4:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.6.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.6.1:::::::*
	cpe:2.3:a:zend:zend_framework:1.12.0:rc3::::::
	cpe:2.3:a:zend:zend_framework:1.12.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.8.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.5:::::::*
	cpe:2.3:a:zend:zend_framework:1.5.0:rc1::::::
	cpe:2.3:a:zend:zend_framework:1.5.1:::::::*
	cpe:2.3:a:zend:zend_framework:1.6.0:rc2::::::
	cpe:2.3:a:zend:zend_framework:1.11.6:::::::*
	cpe:2.3:a:zend:zend_framework:1.9.5:::::::*
	cpe:2.3:a:zend:zend_framework:1.6.0:rc3::::::
	cpe:2.3:a:zend:zend_framework:1.9.0:a1::::::
	cpe:2.3:a:zend:zend_framework:1.5.0:rc3::::::
	cpe:2.3:a:zend:zend_framework:1.5.0:rc2::::::
	cpe:2.3:a:zend:zend_framework:1.9.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.3:pl1::::::
	cpe:2.3:a:zend:zend_framework:1.12.0:rc1::::::
	cpe:2.3:a:zend:zend_framework:1.8.5:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.7:::::::*
	cpe:2.3:a:zend:zend_framework:1.12.0:rc2::::::
	cpe:2.3:a:zend:zend_framework:1.7.3:::::::*
	cpe:2.3:a:zend:zend_framework:1.8.0:a1::::::
	cpe:2.3:a:zend:zend_framework:1.9.4:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.0:b1::::::
	cpe:2.3:a:zend:zend_framework:1.10.3:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.4:::::::*
	cpe:2.3:a:zend:zend_framework:1.10.5:::::::*
	cpe:2.3:a:zend:zend_framework:1.5.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.8.3:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.6:::::::*
	cpe:2.3:a:zend:zend_framework:1.5.0:pr::::::
	cpe:2.3:a:zend:zend_framework:1.8.4:pl1::::::
	cpe:2.3:a:zend:zend_framework:1.11.0:rc1::::::
	cpe:2.3:a:zend:zend_framework:1.7.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.6.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.0:pr::::::
	cpe:2.3:a:zend:zend_framework:1.9.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.9.3:::::::*
	cpe:2.3:a:zend:zend_framework:1.10.4:::::::*
	cpe:2.3:a:zend:zend_framework:1.8.4:::::::*
	cpe:2.3:a:zend:zend_framework:1.0.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.3:::::::*
	cpe:2.3:a:zend:zend_framework:1.5.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.0.3:::::::*
	cpe:2.3:a:zend:zend_framework:1.9.8:::::::*
	cpe:2.3:a:zend:zend_framework:1.11.0:::::::*
	cpe:2.3:a:zend:zend_framework:1.9.3:pl1::::::
	cpe:2.3:a:zend:zend_framework:1.12.1:::::::*
	cpe:2.3:a:zend:zend_framework:1.10.1:::::::*
	cpe:2.3:a:zend:zend_framework:1.12.0:rc4::::::
	cpe:2.3:a:zend:zend_framework:1.8.2:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.1:::::::*
	cpe:2.3:a:zend:zend_framework:1.7.7:::::::*
cpe:2.3:a:zend:zend_framework:1.6.0:rc1::::::
cpe:2.3:a:zend:zend_framework:1.9.1:::::::*
cpe:2.3:a:zend:zend_framework:1.7.9:::::::*
cpe:2.3:a:zend:zend_framework:1.0.1:::::::*
cpe:2.3:a:zend:zend_framework:1.5.0:pl::::::
cpe:2.3:a:zend:zend_framework::::::::
cpe:2.3:a:zend:zend_framework:1.7.0:pl1::::::
cpe:2.3:a:zend:zend_framework:1.10.2:::::::*
cpe:2.3:a:zend:zend_framework:1.11.1:::::::*
cpe:2.3:a:zend:zend_framework:1.0.4:::::::*
cpe:2.3:a:zend:zend_framework:1.0.2:::::::*
cpe:2.3:a:zend:zend_framework:1.7.8:::::::*
cpe:2.3:a:zend:zend_framework:1.5.3:::::::*
cpe:2.3:a:zend:zend_framework:1.10.6:::::::*
cpe:2.3:a:zend:zend_framework:1.10.0:beta1::::::
cpe:2.3:a:zend:zend_framework:1.11.11:::::::*
cpe:2.3:a:zend:zend_framework:1.10.8:::::::*
cpe:2.3:a:zend:zend_framework:1.10.0:::::::*
cpe:2.3:a:zend:zend_framework:1.10.0:alpha1::::::
cpe:2.3:a:zend:zend_framework:1.0.0:rc2a::::::
cpe:2.3:a:zend:zend_framework:1.11.12:::::::*
cpe:2.3:a:zend:zend_framework:1.11.9:::::::*
cpe:2.3:a:zend:zend_framework:1.0.0:rc2::::::
cpe:2.3:a:zend:zend_framework:1.11.13:::::::*
cpe:2.3:a:zend:zend_framework:1.0.0:rc3::::::
cpe:2.3:a:zend:zend_framework:1.10.0:rc1::::::
cpe:2.3:a:zend:zend_framework:1.11.10:::::::*
cpe:2.3:a:zend:zend_framework:1.0.0:rc1::::::
cpe:2.3:a:zend:zend_framework:1.11.8:::::::*
cpe:2.3:a:zend:zend_framework:1.10.7:::::::*
cpe:2.3:a:zend:zend_framework:1.10.9:::::::*
cpe:2.3:a:zend:zend_framework:1.12.0:::::::*

Configuration 2 (hide)

cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*

Information

Published : 2014-09-04 10:55

Updated : 2017-11-03 18:29

NVD link : CVE-2014-2685

Mitre link : CVE-2014-2685

JSON object : View

CWE

CWE-287

Improper Authentication

Products Affected

zend

zendopenid
zend_framework

7.5 /10