Auth bypass in Zend Zend_framework

CVE-2014-8088

The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthen…

Vulnerability class: Broken Authentication

EPSS: 0.006 (70.1th percentile) — read the EPSS interpretation.

Affected products

Zend Zend_framework — versions 1.12.0, 1.12.1, 1.12.2
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

FEDORA-2014-12344 (x_refsource_FEDORA, vendor-advisory)
[oss-security] 20141010 Re: CVE request: Zend Framework ZF2014-05 and ZF2014-06 (mailing-list, x_refsource_MLIST)
FEDORA-2014-12418 (x_refsource_FEDORA, vendor-advisory)
70378 (vdb-entry, x_refsource_BID)
cve@mitre.org (x_refsource_CONFIRM)
DSA-3265 (vendor-advisory, x_refsource_DEBIAN)
zend-framework-cve20148088-sec-bypass(97038) (vdb-entry, x_refsource_XF)