Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zend Framework < 1.12.4 Multiple Vulnerabilities

Critical

Synopsis

The remote host is using a version of Zend Framework that is vulnerable to multiple attack vectors.

Description

Versions of Zend Framework earlier than 1.12.4 are vulnerable to the following security flaws :

- A flaw exists in the 'Consumer' component, as it is possible to login using an arbitrary OpenID account without knowing any secret information. With a specially crafted OpenID Provider, a remote attacker can impersonate any OpenID Identity to bypass the authentication mechanism. (CVE-2014-2684) - A flaw in the 'Consumer' component, as elements in OpenID tokens are not properly checked to ensure they're signed. The framework considers a single signed element as sufficient whereas the specification states that more elements are required to be signed if present. This may allow a remote attacker to cause insufficiently signed OpenID tokens to be accepted as valid. (CVE-2014-2685)

Solution

Upgrade Zend Framework to version 1.12.4 or later.