Your submission was sent successfully! Close

CVE-2014-2684

Published: 16 November 2014

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.

Priority

Medium

Status

Package Release Status
zendframework
Launchpad, Ubuntu, Debian
Upstream
Released (1.12.4)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist