CVE-2014-2684 - Vulnerability Details - OpenCVE

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zend	Zend Framework Zendopenid

Configuration 1 [-]

cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://advisories.mageia.org/MGASA-2014-0151.html
http://framework.zend.com/security/advisory/ZF2014-02
http://seclists.org/oss-sec/2014/q2/0
http://www.debian.org/security/2015/dsa-3265
http://www.mandriva.com/security/advisories?name=MDVSA-2014:072
http://www.securityfocus.com/bid/66358

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-11-16T00:00:00

Updated: 2024-08-06T10:21:36.004Z

Reserved: 2014-03-30T00:00:00

Link: CVE-2014-2684

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-11-16T00:59:04.983

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-2684

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-03-06T00:00:00", "descriptions": [{"lang": "en", "value": "The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20140331 CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q2/0"}, {"name": "MDVSA-2014:072", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:072"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0151.html"}, {"name": "66358", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/66358"}, {"name": "DSA-3265", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3265"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://framework.zend.com/security/advisory/ZF2014-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-2684", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140331 CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q2/0"}, {"name": "MDVSA-2014:072", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:072"}, {"name": "http://advisories.mageia.org/MGASA-2014-0151.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0151.html"}, {"name": "66358", "refsource": "BID", "url": "http://www.securityfocus.com/bid/66358"}, {"name": "DSA-3265", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3265"}, {"name": "http://framework.zend.com/security/advisory/ZF2014-02", "refsource": "CONFIRM", "url": "http://framework.zend.com/security/advisory/ZF2014-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:21:36.004Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140331 CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q2/0"}, {"name": "MDVSA-2014:072", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:072"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0151.html"}, {"name": "66358", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/66358"}, {"name": "DSA-3265", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3265"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://framework.zend.com/security/advisory/ZF2014-02"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-2684", "datePublished": "2014-11-16T00:00:00", "dateReserved": "2014-03-30T00:00:00", "dateUpdated": "2024-08-06T10:21:36.004Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*", "matchCriteriaId": "255171B6-0A4C-4757-ADDA-28916398499C", "versionEndIncluding": "2.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EA449F4-8463-4C40-877F-572A61445339", "versionEndIncluding": "1.12.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values."}, {"lang": "es", "value": "La clase GenericConsumer en el componente Consumer en ZendOpenId anterior a 2.0.2 y la clase Zend_OpenId_Consumer en Zend Framework 1 anterior a 1.12.4 no verifican correctamente que el valor de openid_op_endpoint identifique el mismo proveedor de identidad que el proveedor manejado en la asociaci\u00f3n, lo que permite a atacantes remotos evadir la autenticaci\u00f3n y falsificar identidades OpenID de forma arbitraria usando un proveedor de OpenID malicioso que genera tokens OpenID con identificadores y valores claimed_id arbitrarios."}], "id": "CVE-2014-2684", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-11-16T00:59:04.983", "references": [{"source": "cve@mitre.org", "url": "http://advisories.mageia.org/MGASA-2014-0151.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://framework.zend.com/security/advisory/ZF2014-02"}, {"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q2/0"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3265"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:072"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/66358"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://advisories.mageia.org/MGASA-2014-0151.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://framework.zend.com/security/advisory/ZF2014-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q2/0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3265"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:072"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/66358"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}