The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2014-09-04T17:00:00
Updated: 2024-08-06T10:21:36.026Z
Reserved: 2014-03-30T00:00:00
Link: CVE-2014-2685
Vulnrichment
No data.
NVD
Status : Modified
Published: 2014-09-04T17:55:04.747
Modified: 2024-11-21T02:06:47.307
Link: CVE-2014-2685
Redhat
No data.