Candidate: CVE-2014-2684
PublicDate: 2014-11-16 00:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684
 http://framework.zend.com/security/advisory/ZF2014-02
Description:
 The GenericConsumer class in the Consumer component in ZendOpenId before
 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4
 does not verify that the openid_op_endpoint value identifies the same
 Identity Provider as the provider used in the association handle, which
 allows remote attackers to bypass authentication and spoof arbitrary OpenID
 identities by using a malicious OpenID Provider that generates OpenID
 tokens with arbitrary identifier and claimed_id values.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743175
Priority: medium
Discovered-by: Christian Mainka and Vladislav Mladenov
Assigned-to:
CVSS: 

Patches_zendframework:
upstream_zendframework: released (1.12.4)
lucid_zendframework: ignored (reached end-of-life)
precise_zendframework: DNE
quantal_zendframework: DNE
saucy_zendframework: DNE
devel_zendframework: DNE