Back to search
CVE-2014-2685
Published: Sep 4, 2014
Modified: Aug 6, 2024
PUBLISHED
Description
The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20140331 CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02
mailing-list
x_refsource_MLIST
MDVSA-2014:072
vendor-advisory
x_refsource_MANDRIVA
http://advisories.mageia.org/MGASA-2014-0151.html
x_refsource_CONFIRM
66358
vdb-entry
x_refsource_BID
DSA-3265
vendor-advisory
x_refsource_DEBIAN
http://framework.zend.com/security/advisory/ZF2014-02
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now