QwikSec

Security Database

CVE

CWE

Training

CVE-2014-2684

Published: Nov 16, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[oss-security] 20140331 CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_MANDRIVA

http://advisories.mageia.org/MGASA-2014-0151.html

x_refsource_CONFIRM

vdb-entry

x_refsource_BID

vendor-advisory

x_refsource_DEBIAN

http://framework.zend.com/security/advisory/ZF2014-02

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.