CVE-2014-2685
Summary
| CVE | CVE-2014-2685 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-09-04 17:55:00 UTC |
| Updated | 2017-11-04 01:29:00 UTC |
| Description | The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zend | Zendopenid | All | All | All | All |
| Application | Zend | Zend Framework | 1.0.0 | All | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc2a | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.0.1 | All | All | All |
| Application | Zend | Zend Framework | 1.0.2 | All | All | All |
| Application | Zend | Zend Framework | 1.0.3 | All | All | All |
| Application | Zend | Zend Framework | 1.0.4 | All | All | All |
| Application | Zend | Zend Framework | 1.10.0 | All | All | All |
| Application | Zend | Zend Framework | 1.10.0 | alpha1 | All | All |
| Application | Zend | Zend Framework | 1.10.0 | beta1 | All | All |
| Application | Zend | Zend Framework | 1.10.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.10.1 | All | All | All |
| Application | Zend | Zend Framework | 1.10.2 | All | All | All |
| Application | Zend | Zend Framework | 1.10.3 | All | All | All |
| Application | Zend | Zend Framework | 1.10.4 | All | All | All |
| Application | Zend | Zend Framework | 1.10.5 | All | All | All |
| Application | Zend | Zend Framework | 1.10.6 | All | All | All |
| Application | Zend | Zend Framework | 1.10.7 | All | All | All |
| Application | Zend | Zend Framework | 1.10.8 | All | All | All |
| Application | Zend | Zend Framework | 1.10.9 | All | All | All |
| Application | Zend | Zend Framework | 1.11.0 | All | All | All |
| Application | Zend | Zend Framework | 1.11.0 | b1 | All | All |
| Application | Zend | Zend Framework | 1.11.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.11.1 | All | All | All |
| Application | Zend | Zend Framework | 1.11.10 | All | All | All |
| Application | Zend | Zend Framework | 1.11.11 | All | All | All |
| Application | Zend | Zend Framework | 1.11.12 | All | All | All |
| Application | Zend | Zend Framework | 1.11.13 | All | All | All |
| Application | Zend | Zend Framework | 1.11.2 | All | All | All |
| Application | Zend | Zend Framework | 1.11.3 | All | All | All |
| Application | Zend | Zend Framework | 1.11.4 | All | All | All |
| Application | Zend | Zend Framework | 1.11.5 | All | All | All |
| Application | Zend | Zend Framework | 1.11.6 | All | All | All |
| Application | Zend | Zend Framework | 1.11.7 | All | All | All |
| Application | Zend | Zend Framework | 1.11.8 | All | All | All |
| Application | Zend | Zend Framework | 1.11.9 | All | All | All |
| Application | Zend | Zend Framework | 1.12.0 | All | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc4 | All | All |
| Application | Zend | Zend Framework | 1.12.1 | All | All | All |
| Application | Zend | Zend Framework | 1.12.2 | All | All | All |
| Application | Zend | Zend Framework | 1.5.0 | All | All | All |
| Application | Zend | Zend Framework | 1.5.0 | pl | All | All |
| Application | Zend | Zend Framework | 1.5.0 | pr | All | All |
| Application | Zend | Zend Framework | 1.5.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.5.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.5.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.5.1 | All | All | All |
| Application | Zend | Zend Framework | 1.5.2 | All | All | All |
| Application | Zend | Zend Framework | 1.5.3 | All | All | All |
| Application | Zend | Zend Framework | 1.6.0 | All | All | All |
| Application | Zend | Zend Framework | 1.6.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.6.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.6.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.6.1 | All | All | All |
| Application | Zend | Zend Framework | 1.6.2 | All | All | All |
| Application | Zend | Zend Framework | 1.7.0 | All | All | All |
| Application | Zend | Zend Framework | 1.7.0 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.7.0 | pr | All | All |
| Application | Zend | Zend Framework | 1.7.1 | All | All | All |
| Application | Zend | Zend Framework | 1.7.2 | All | All | All |
| Application | Zend | Zend Framework | 1.7.3 | All | All | All |
| Application | Zend | Zend Framework | 1.7.3 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.7.4 | All | All | All |
| Application | Zend | Zend Framework | 1.7.5 | All | All | All |
| Application | Zend | Zend Framework | 1.7.6 | All | All | All |
| Application | Zend | Zend Framework | 1.7.7 | All | All | All |
| Application | Zend | Zend Framework | 1.7.8 | All | All | All |
| Application | Zend | Zend Framework | 1.7.9 | All | All | All |
| Application | Zend | Zend Framework | 1.8.0 | All | All | All |
| Application | Zend | Zend Framework | 1.8.0 | a1 | All | All |
| Application | Zend | Zend Framework | 1.8.0 | b1 | All | All |
| Application | Zend | Zend Framework | 1.8.1 | All | All | All |
| Application | Zend | Zend Framework | 1.8.2 | All | All | All |
| Application | Zend | Zend Framework | 1.8.3 | All | All | All |
| Application | Zend | Zend Framework | 1.8.4 | All | All | All |
| Application | Zend | Zend Framework | 1.8.4 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.8.5 | All | All | All |
| Application | Zend | Zend Framework | 1.9.0 | All | All | All |
| Application | Zend | Zend Framework | 1.9.0 | a1 | All | All |
| Application | Zend | Zend Framework | 1.9.0 | b1 | All | All |
| Application | Zend | Zend Framework | 1.9.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.9.1 | All | All | All |
| Application | Zend | Zend Framework | 1.9.2 | All | All | All |
| Application | Zend | Zend Framework | 1.9.3 | All | All | All |
| Application | Zend | Zend Framework | 1.9.3 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.9.4 | All | All | All |
| Application | Zend | Zend Framework | 1.9.5 | All | All | All |
| Application | Zend | Zend Framework | 1.9.6 | All | All | All |
| Application | Zend | Zend Framework | 1.9.7 | All | All | All |
| Application | Zend | Zend Framework | 1.9.8 | All | All | All |
| Application | Zend | Zend Framework | 1.0.0 | All | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc2a | All | All |
| Application | Zend | Zend Framework | 1.0.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.0.1 | All | All | All |
| Application | Zend | Zend Framework | 1.0.2 | All | All | All |
| Application | Zend | Zend Framework | 1.0.3 | All | All | All |
| Application | Zend | Zend Framework | 1.0.4 | All | All | All |
| Application | Zend | Zend Framework | 1.10.0 | All | All | All |
| Application | Zend | Zend Framework | 1.10.0 | alpha1 | All | All |
| Application | Zend | Zend Framework | 1.10.0 | beta1 | All | All |
| Application | Zend | Zend Framework | 1.10.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.10.1 | All | All | All |
| Application | Zend | Zend Framework | 1.10.2 | All | All | All |
| Application | Zend | Zend Framework | 1.10.3 | All | All | All |
| Application | Zend | Zend Framework | 1.10.4 | All | All | All |
| Application | Zend | Zend Framework | 1.10.5 | All | All | All |
| Application | Zend | Zend Framework | 1.10.6 | All | All | All |
| Application | Zend | Zend Framework | 1.10.7 | All | All | All |
| Application | Zend | Zend Framework | 1.10.8 | All | All | All |
| Application | Zend | Zend Framework | 1.10.9 | All | All | All |
| Application | Zend | Zend Framework | 1.11.0 | All | All | All |
| Application | Zend | Zend Framework | 1.11.0 | b1 | All | All |
| Application | Zend | Zend Framework | 1.11.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.11.1 | All | All | All |
| Application | Zend | Zend Framework | 1.11.10 | All | All | All |
| Application | Zend | Zend Framework | 1.11.11 | All | All | All |
| Application | Zend | Zend Framework | 1.11.12 | All | All | All |
| Application | Zend | Zend Framework | 1.11.13 | All | All | All |
| Application | Zend | Zend Framework | 1.11.2 | All | All | All |
| Application | Zend | Zend Framework | 1.11.3 | All | All | All |
| Application | Zend | Zend Framework | 1.11.4 | All | All | All |
| Application | Zend | Zend Framework | 1.11.5 | All | All | All |
| Application | Zend | Zend Framework | 1.11.6 | All | All | All |
| Application | Zend | Zend Framework | 1.11.7 | All | All | All |
| Application | Zend | Zend Framework | 1.11.8 | All | All | All |
| Application | Zend | Zend Framework | 1.11.9 | All | All | All |
| Application | Zend | Zend Framework | 1.12.0 | All | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.12.0 | rc4 | All | All |
| Application | Zend | Zend Framework | 1.12.1 | All | All | All |
| Application | Zend | Zend Framework | 1.12.2 | All | All | All |
| Application | Zend | Zend Framework | 1.5.0 | All | All | All |
| Application | Zend | Zend Framework | 1.5.0 | pl | All | All |
| Application | Zend | Zend Framework | 1.5.0 | pr | All | All |
| Application | Zend | Zend Framework | 1.5.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.5.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.5.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.5.1 | All | All | All |
| Application | Zend | Zend Framework | 1.5.2 | All | All | All |
| Application | Zend | Zend Framework | 1.5.3 | All | All | All |
| Application | Zend | Zend Framework | 1.6.0 | All | All | All |
| Application | Zend | Zend Framework | 1.6.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.6.0 | rc2 | All | All |
| Application | Zend | Zend Framework | 1.6.0 | rc3 | All | All |
| Application | Zend | Zend Framework | 1.6.1 | All | All | All |
| Application | Zend | Zend Framework | 1.6.2 | All | All | All |
| Application | Zend | Zend Framework | 1.7.0 | All | All | All |
| Application | Zend | Zend Framework | 1.7.0 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.7.0 | pr | All | All |
| Application | Zend | Zend Framework | 1.7.1 | All | All | All |
| Application | Zend | Zend Framework | 1.7.2 | All | All | All |
| Application | Zend | Zend Framework | 1.7.3 | All | All | All |
| Application | Zend | Zend Framework | 1.7.3 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.7.4 | All | All | All |
| Application | Zend | Zend Framework | 1.7.5 | All | All | All |
| Application | Zend | Zend Framework | 1.7.6 | All | All | All |
| Application | Zend | Zend Framework | 1.7.7 | All | All | All |
| Application | Zend | Zend Framework | 1.7.8 | All | All | All |
| Application | Zend | Zend Framework | 1.7.9 | All | All | All |
| Application | Zend | Zend Framework | 1.8.0 | All | All | All |
| Application | Zend | Zend Framework | 1.8.0 | a1 | All | All |
| Application | Zend | Zend Framework | 1.8.0 | b1 | All | All |
| Application | Zend | Zend Framework | 1.8.1 | All | All | All |
| Application | Zend | Zend Framework | 1.8.2 | All | All | All |
| Application | Zend | Zend Framework | 1.8.3 | All | All | All |
| Application | Zend | Zend Framework | 1.8.4 | All | All | All |
| Application | Zend | Zend Framework | 1.8.4 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.8.5 | All | All | All |
| Application | Zend | Zend Framework | 1.9.0 | All | All | All |
| Application | Zend | Zend Framework | 1.9.0 | a1 | All | All |
| Application | Zend | Zend Framework | 1.9.0 | b1 | All | All |
| Application | Zend | Zend Framework | 1.9.0 | rc1 | All | All |
| Application | Zend | Zend Framework | 1.9.1 | All | All | All |
| Application | Zend | Zend Framework | 1.9.2 | All | All | All |
| Application | Zend | Zend Framework | 1.9.3 | All | All | All |
| Application | Zend | Zend Framework | 1.9.3 | pl1 | All | All |
| Application | Zend | Zend Framework | 1.9.4 | All | All | All |
| Application | Zend | Zend Framework | 1.9.5 | All | All | All |
| Application | Zend | Zend Framework | 1.9.6 | All | All | All |
| Application | Zend | Zend Framework | 1.9.7 | All | All | All |
| Application | Zend | Zend Framework | 1.9.8 | All | All | All |
| Application | Zend | Zend Framework | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian -- Security Information -- DSA-3265-1 zendframework | DEBIAN | www.debian.org | |
| Support / Security / Advisories / / MDVSA-2014:072 | Mandriva | MANDRIVA | www.mandriva.com | |
| Mageia Advisory: MGASA-2014-0151 - Updated php-ZendFramework packages fix multiple vulnerabilities | CONFIRM | advisories.mageia.org | |
| ZF2014-02: Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer - Advisories - Security - Zend Framework | CONFIRM | framework.zend.com | Vendor Advisory |
| oss-sec: Re: CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02 | MLIST | seclists.org | |
| Zend Framework Multiple Information Disclosure and Security Bypass Vulnerabilities | BID | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.