CVE-2014-2684 — Framework vulnerability

CWE-2644 documents4 sources
Severity
6.4MEDIUMNVD
EPSS
0.6%
top 31.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Zend FrameworkZend Zendopenid
Timeline
PublishedNov 16
Latest updateMay 17

Description

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

â–¶NVDzend/zendopenid2.0.1
â–¶NVDzend/zend_framework1.12.4

🔴Vulnerability Details

2
GHSA
GHSA-hwqj-6cj6-j4c3: The GenericConsumer class in the Consumer component in ZendOpenId before 2↗2022-05-17
â–¶
CVEList
CVE-2014-2684: The GenericConsumer class in the Consumer component in ZendOpenId before 2↗2014-11-16
â–¶

💬Community

1
Bugzilla
CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02)↗2014-03-27
â–¶
CVE-2014-2684 — Zend Framework vulnerability | cvebase