CVE-2014-2685
First published: Thu Sep 04 2014(Updated: )
The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/zendframework | ||
| Zend Framework | <=1.12.3 | |
| Zend Framework | =1.0.0 | |
| Zend Framework | =1.0.0-rc1 | |
| Zend Framework | =1.0.0-rc2 | |
| Zend Framework | =1.0.0-rc2a | |
| Zend Framework | =1.0.0-rc3 | |
| Zend Framework | =1.0.1 | |
| Zend Framework | =1.0.2 | |
| Zend Framework | =1.0.3 | |
| Zend Framework | =1.0.4 | |
| Zend Framework | =1.5.0 | |
| Zend Framework | =1.5.0-pl | |
| Zend Framework | =1.5.0-pr | |
| Zend Framework | =1.5.0-rc1 | |
| Zend Framework | =1.5.0-rc2 | |
| Zend Framework | =1.5.0-rc3 | |
| Zend Framework | =1.5.1 | |
| Zend Framework | =1.5.2 | |
| Zend Framework | =1.5.3 | |
| Zend Framework | =1.6.0 | |
| Zend Framework | =1.6.0-rc1 | |
| Zend Framework | =1.6.0-rc2 | |
| Zend Framework | =1.6.0-rc3 | |
| Zend Framework | =1.6.1 | |
| Zend Framework | =1.6.2 | |
| Zend Framework | =1.7.0 | |
| Zend Framework | =1.7.0-pl1 | |
| Zend Framework | =1.7.0-pr | |
| Zend Framework | =1.7.1 | |
| Zend Framework | =1.7.2 | |
| Zend Framework | =1.7.3 | |
| Zend Framework | =1.7.3-pl1 | |
| Zend Framework | =1.7.4 | |
| Zend Framework | =1.7.5 | |
| Zend Framework | =1.7.6 | |
| Zend Framework | =1.7.7 | |
| Zend Framework | =1.7.8 | |
| Zend Framework | =1.7.9 | |
| Zend Framework | =1.8.0 | |
| Zend Framework | =1.8.0-a1 | |
| Zend Framework | =1.8.0-b1 | |
| Zend Framework | =1.8.1 | |
| Zend Framework | =1.8.2 | |
| Zend Framework | =1.8.3 | |
| Zend Framework | =1.8.4 | |
| Zend Framework | =1.8.4-pl1 | |
| Zend Framework | =1.8.5 | |
| Zend Framework | =1.9.0 | |
| Zend Framework | =1.9.0-a1 | |
| Zend Framework | =1.9.0-b1 | |
| Zend Framework | =1.9.0-rc1 | |
| Zend Framework | =1.9.1 | |
| Zend Framework | =1.9.2 | |
| Zend Framework | =1.9.3 | |
| Zend Framework | =1.9.3-pl1 | |
| Zend Framework | =1.9.4 | |
| Zend Framework | =1.9.5 | |
| Zend Framework | =1.9.6 | |
| Zend Framework | =1.9.7 | |
| Zend Framework | =1.9.8 | |
| Zend Framework | =1.10.0 | |
| Zend Framework | =1.10.0-alpha1 | |
| Zend Framework | =1.10.0-beta1 | |
| Zend Framework | =1.10.0-rc1 | |
| Zend Framework | =1.10.1 | |
| Zend Framework | =1.10.2 | |
| Zend Framework | =1.10.3 | |
| Zend Framework | =1.10.4 | |
| Zend Framework | =1.10.5 | |
| Zend Framework | =1.10.6 | |
| Zend Framework | =1.10.7 | |
| Zend Framework | =1.10.8 | |
| Zend Framework | =1.10.9 | |
| Zend Framework | =1.11.0 | |
| Zend Framework | =1.11.0-b1 | |
| Zend Framework | =1.11.0-rc1 | |
| Zend Framework | =1.11.1 | |
| Zend Framework | =1.11.2 | |
| Zend Framework | =1.11.3 | |
| Zend Framework | =1.11.4 | |
| Zend Framework | =1.11.5 | |
| Zend Framework | =1.11.6 | |
| Zend Framework | =1.11.7 | |
| Zend Framework | =1.11.8 | |
| Zend Framework | =1.11.9 | |
| Zend Framework | =1.11.10 | |
| Zend Framework | =1.11.11 | |
| Zend Framework | =1.11.12 | |
| Zend Framework | =1.11.13 | |
| Zend Framework | =1.12.0 | |
| Zend Framework | =1.12.0-rc1 | |
| Zend Framework | =1.12.0-rc2 | |
| Zend Framework | =1.12.0-rc3 | |
| Zend Framework | =1.12.0-rc4 | |
| Zend Framework | =1.12.1 | |
| Zend Framework | =1.12.2 | |
| Zend OpenID | <=2.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2014-0151.html
- http://framework.zend.com/security/advisory/ZF2014-02
- http://seclists.org/oss-sec/2014/q2/0
- http://www.debian.org/security/2015/dsa-3265
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:072
- http://www.securityfocus.com/bid/66358
- https://security-tracker.debian.org/tracker/CVE-2014-2685
Frequently Asked Questions
What is the severity of CVE-2014-2685?
The severity of CVE-2014-2685 is classified as high due to the potential for remote attackers to bypass authentication.
How do I fix CVE-2014-2685?
To fix CVE-2014-2685, update Zend Framework to version 1.12.4 or later, or upgrade ZendOpenId to 2.0.2 or newer.
What versions are affected by CVE-2014-2685?
CVE-2014-2685 affects Zend Framework versions prior to 1.12.4 and ZendOpenId versions prior to 2.0.2.
What type of vulnerability is CVE-2014-2685?
CVE-2014-2685 is an authentication bypass vulnerability that violates the OpenID 2.0 protocol.
Who is at risk due to CVE-2014-2685?
Users of affected versions of Zend Framework and ZendOpenId are at risk due to the potential for unauthorized access.
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/zend
- canonical/zend framework
- version/zend framework/1.12.3
- version/zend framework/1.0.0
- version/zend framework/1.0.0-rc1
- version/zend framework/1.0.0-rc2
- version/zend framework/1.0.0-rc2a
- version/zend framework/1.0.0-rc3
- version/zend framework/1.0.1
- version/zend framework/1.0.2
- version/zend framework/1.0.3
- version/zend framework/1.0.4
- version/zend framework/1.5.0
- version/zend framework/1.5.0-pl
- version/zend framework/1.5.0-pr
- version/zend framework/1.5.0-rc1
- version/zend framework/1.5.0-rc2
- version/zend framework/1.5.0-rc3
- version/zend framework/1.5.1
- version/zend framework/1.5.2
- version/zend framework/1.5.3
- version/zend framework/1.6.0
- version/zend framework/1.6.0-rc1
- version/zend framework/1.6.0-rc2
- version/zend framework/1.6.0-rc3
- version/zend framework/1.6.1
- version/zend framework/1.6.2
- version/zend framework/1.7.0
- version/zend framework/1.7.0-pl1
- version/zend framework/1.7.0-pr
- version/zend framework/1.7.1
- version/zend framework/1.7.2
- version/zend framework/1.7.3
- version/zend framework/1.7.3-pl1
- version/zend framework/1.7.4
- version/zend framework/1.7.5
- version/zend framework/1.7.6
- version/zend framework/1.7.7
- version/zend framework/1.7.8
- version/zend framework/1.7.9
- version/zend framework/1.8.0
- version/zend framework/1.8.0-a1
- version/zend framework/1.8.0-b1
- version/zend framework/1.8.1
- version/zend framework/1.8.2
- version/zend framework/1.8.3
- version/zend framework/1.8.4
- version/zend framework/1.8.4-pl1
- version/zend framework/1.8.5
- version/zend framework/1.9.0
- version/zend framework/1.9.0-a1
- version/zend framework/1.9.0-b1
- version/zend framework/1.9.0-rc1
- version/zend framework/1.9.1
- version/zend framework/1.9.2
- version/zend framework/1.9.3
- version/zend framework/1.9.3-pl1
- version/zend framework/1.9.4
- version/zend framework/1.9.5
- version/zend framework/1.9.6
- version/zend framework/1.9.7
- version/zend framework/1.9.8
- version/zend framework/1.10.0
- version/zend framework/1.10.0-alpha1
- version/zend framework/1.10.0-beta1
- version/zend framework/1.10.0-rc1
- version/zend framework/1.10.1
- version/zend framework/1.10.2
- version/zend framework/1.10.3
- version/zend framework/1.10.4
- version/zend framework/1.10.5
- version/zend framework/1.10.6
- version/zend framework/1.10.7
- version/zend framework/1.10.8
- version/zend framework/1.10.9
- version/zend framework/1.11.0
- version/zend framework/1.11.0-b1
- version/zend framework/1.11.0-rc1
- version/zend framework/1.11.1
- version/zend framework/1.11.2
- version/zend framework/1.11.3
- version/zend framework/1.11.4
- version/zend framework/1.11.5
- version/zend framework/1.11.6
- version/zend framework/1.11.7
- version/zend framework/1.11.8
- version/zend framework/1.11.9
- version/zend framework/1.11.10
- version/zend framework/1.11.11
- version/zend framework/1.11.12
- version/zend framework/1.11.13
- version/zend framework/1.12.0
- version/zend framework/1.12.0-rc1
- version/zend framework/1.12.0-rc2
- version/zend framework/1.12.0-rc3
- version/zend framework/1.12.0-rc4
- version/zend framework/1.12.1
- version/zend framework/1.12.2
- canonical/zend openid
- version/zend openid/2.0.1