← Voltar para CVEs

CVE-2014-2685

N/A

Descricao

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Detalhes CVE

Pontuacao CVSS v3.1N/A

Publicado9/4/2014

Ultima modificacao4/12/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

zend:zend_frameworkzend:zendopenid

Fraquezas (CWE)

CWE-287

Referencias

http://advisories.mageia.org/MGASA-2014-0151.html(cve@mitre.org)

http://framework.zend.com/security/advisory/ZF2014-02(cve@mitre.org)

http://seclists.org/oss-sec/2014/q2/0(cve@mitre.org)

http://www.debian.org/security/2015/dsa-3265(cve@mitre.org)

http://www.mandriva.com/security/advisories?name=MDVSA-2014:072(cve@mitre.org)

http://www.securityfocus.com/bid/66358(cve@mitre.org)

http://advisories.mageia.org/MGASA-2014-0151.html(af854a3a-2127-422b-91ae-364da2661108)

http://framework.zend.com/security/advisory/ZF2014-02(af854a3a-2127-422b-91ae-364da2661108)

http://seclists.org/oss-sec/2014/q2/0(af854a3a-2127-422b-91ae-364da2661108)

http://www.debian.org/security/2015/dsa-3265(af854a3a-2127-422b-91ae-364da2661108)

http://www.mandriva.com/security/advisories?name=MDVSA-2014:072(af854a3a-2127-422b-91ae-364da2661108)

http://www.securityfocus.com/bid/66358(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.