Auth bypass in Zend Zend_framework

CVE-2014-2685

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which a…

Vulnerability class: Broken Authentication

EPSS: 0.008 (75.1th percentile) — read the EPSS interpretation.

Affected products

Zend Zend_framework — versions 1.0.0, 1.0.1, 1.0.2
Zend Zendopenid
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

[oss-security] 20140331 CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02 (mailing-list, x_refsource_MLIST)
MDVSA-2014:072 (vendor-advisory, x_refsource_MANDRIVA)
cve@mitre.org (x_refsource_CONFIRM)
66358 (vdb-entry, x_refsource_BID)
DSA-3265 (vendor-advisory, x_refsource_DEBIAN)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)