CVE-2014-2685

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Zend_framework	Zend	*	1.12.3 (including)
Zend_framework	Zend	1.0.0 (including)	1.0.0 (including)
Zend_framework	Zend	1.0.0-rc1 (including)	1.0.0-rc1 (including)
Zend_framework	Zend	1.0.0-rc2 (including)	1.0.0-rc2 (including)
Zend_framework	Zend	1.0.0-rc2a (including)	1.0.0-rc2a (including)
Zend_framework	Zend	1.0.0-rc3 (including)	1.0.0-rc3 (including)
Zend_framework	Zend	1.0.1 (including)	1.0.1 (including)
Zend_framework	Zend	1.0.2 (including)	1.0.2 (including)
Zend_framework	Zend	1.0.3 (including)	1.0.3 (including)
Zend_framework	Zend	1.0.4 (including)	1.0.4 (including)
Zend_framework	Zend	1.5.0 (including)	1.5.0 (including)
Zend_framework	Zend	1.5.0-pl (including)	1.5.0-pl (including)
Zend_framework	Zend	1.5.0-pr (including)	1.5.0-pr (including)
Zend_framework	Zend	1.5.0-rc1 (including)	1.5.0-rc1 (including)
Zend_framework	Zend	1.5.0-rc2 (including)	1.5.0-rc2 (including)
Zend_framework	Zend	1.5.0-rc3 (including)	1.5.0-rc3 (including)
Zend_framework	Zend	1.5.1 (including)	1.5.1 (including)
Zend_framework	Zend	1.5.2 (including)	1.5.2 (including)
Zend_framework	Zend	1.5.3 (including)	1.5.3 (including)
Zend_framework	Zend	1.6.0 (including)	1.6.0 (including)
Zend_framework	Zend	1.6.0-rc1 (including)	1.6.0-rc1 (including)
Zend_framework	Zend	1.6.0-rc2 (including)	1.6.0-rc2 (including)
Zend_framework	Zend	1.6.0-rc3 (including)	1.6.0-rc3 (including)
Zend_framework	Zend	1.6.1 (including)	1.6.1 (including)
Zend_framework	Zend	1.6.2 (including)	1.6.2 (including)
Zend_framework	Zend	1.7.0 (including)	1.7.0 (including)
Zend_framework	Zend	1.7.0-pl1 (including)	1.7.0-pl1 (including)
Zend_framework	Zend	1.7.0-pr (including)	1.7.0-pr (including)
Zend_framework	Zend	1.7.1 (including)	1.7.1 (including)
Zend_framework	Zend	1.7.2 (including)	1.7.2 (including)
Zend_framework	Zend	1.7.3 (including)	1.7.3 (including)
Zend_framework	Zend	1.7.3-pl1 (including)	1.7.3-pl1 (including)
Zend_framework	Zend	1.7.4 (including)	1.7.4 (including)
Zend_framework	Zend	1.7.5 (including)	1.7.5 (including)
Zend_framework	Zend	1.7.6 (including)	1.7.6 (including)
Zend_framework	Zend	1.7.7 (including)	1.7.7 (including)
Zend_framework	Zend	1.7.8 (including)	1.7.8 (including)
Zend_framework	Zend	1.7.9 (including)	1.7.9 (including)
Zend_framework	Zend	1.8.0 (including)	1.8.0 (including)
Zend_framework	Zend	1.8.0-a1 (including)	1.8.0-a1 (including)
Zend_framework	Zend	1.8.0-b1 (including)	1.8.0-b1 (including)
Zend_framework	Zend	1.8.1 (including)	1.8.1 (including)
Zend_framework	Zend	1.8.2 (including)	1.8.2 (including)
Zend_framework	Zend	1.8.3 (including)	1.8.3 (including)
Zend_framework	Zend	1.8.4 (including)	1.8.4 (including)
Zend_framework	Zend	1.8.4-pl1 (including)	1.8.4-pl1 (including)
Zend_framework	Zend	1.8.5 (including)	1.8.5 (including)
Zend_framework	Zend	1.9.0 (including)	1.9.0 (including)
Zend_framework	Zend	1.9.0-a1 (including)	1.9.0-a1 (including)
Zend_framework	Zend	1.9.0-b1 (including)	1.9.0-b1 (including)
Zend_framework	Zend	1.9.0-rc1 (including)	1.9.0-rc1 (including)
Zend_framework	Zend	1.9.1 (including)	1.9.1 (including)
Zend_framework	Zend	1.9.2 (including)	1.9.2 (including)
Zend_framework	Zend	1.9.3 (including)	1.9.3 (including)
Zend_framework	Zend	1.9.3-pl1 (including)	1.9.3-pl1 (including)
Zend_framework	Zend	1.9.4 (including)	1.9.4 (including)
Zend_framework	Zend	1.9.5 (including)	1.9.5 (including)
Zend_framework	Zend	1.9.6 (including)	1.9.6 (including)
Zend_framework	Zend	1.9.7 (including)	1.9.7 (including)
Zend_framework	Zend	1.9.8 (including)	1.9.8 (including)
Zend_framework	Zend	1.10.0 (including)	1.10.0 (including)
Zend_framework	Zend	1.10.0-alpha1 (including)	1.10.0-alpha1 (including)
Zend_framework	Zend	1.10.0-beta1 (including)	1.10.0-beta1 (including)
Zend_framework	Zend	1.10.0-rc1 (including)	1.10.0-rc1 (including)
Zend_framework	Zend	1.10.1 (including)	1.10.1 (including)
Zend_framework	Zend	1.10.2 (including)	1.10.2 (including)
Zend_framework	Zend	1.10.3 (including)	1.10.3 (including)
Zend_framework	Zend	1.10.4 (including)	1.10.4 (including)
Zend_framework	Zend	1.10.5 (including)	1.10.5 (including)
Zend_framework	Zend	1.10.6 (including)	1.10.6 (including)
Zend_framework	Zend	1.10.7 (including)	1.10.7 (including)
Zend_framework	Zend	1.10.8 (including)	1.10.8 (including)
Zend_framework	Zend	1.10.9 (including)	1.10.9 (including)
Zend_framework	Zend	1.11.0 (including)	1.11.0 (including)
Zend_framework	Zend	1.11.0-b1 (including)	1.11.0-b1 (including)
Zend_framework	Zend	1.11.0-rc1 (including)	1.11.0-rc1 (including)
Zend_framework	Zend	1.11.1 (including)	1.11.1 (including)
Zend_framework	Zend	1.11.2 (including)	1.11.2 (including)
Zend_framework	Zend	1.11.3 (including)	1.11.3 (including)
Zend_framework	Zend	1.11.4 (including)	1.11.4 (including)
Zend_framework	Zend	1.11.5 (including)	1.11.5 (including)
Zend_framework	Zend	1.11.6 (including)	1.11.6 (including)
Zend_framework	Zend	1.11.7 (including)	1.11.7 (including)
Zend_framework	Zend	1.11.8 (including)	1.11.8 (including)
Zend_framework	Zend	1.11.9 (including)	1.11.9 (including)
Zend_framework	Zend	1.11.10 (including)	1.11.10 (including)
Zend_framework	Zend	1.11.11 (including)	1.11.11 (including)
Zend_framework	Zend	1.11.12 (including)	1.11.12 (including)
Zend_framework	Zend	1.11.13 (including)	1.11.13 (including)
Zend_framework	Zend	1.12.0 (including)	1.12.0 (including)
Zend_framework	Zend	1.12.0-rc1 (including)	1.12.0-rc1 (including)
Zend_framework	Zend	1.12.0-rc2 (including)	1.12.0-rc2 (including)
Zend_framework	Zend	1.12.0-rc3 (including)	1.12.0-rc3 (including)
Zend_framework	Zend	1.12.0-rc4 (including)	1.12.0-rc4 (including)
Zend_framework	Zend	1.12.1 (including)	1.12.1 (including)
Zend_framework	Zend	1.12.2 (including)	1.12.2 (including)
Zendframework	Ubuntu	lucid	*
Zendframework	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-2685
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2014-2685

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References