Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05djc4LWgyMjYtMnJtcc4AA80Q
Zendframework potential security issue in login mechanism
Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.
Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.
Permalink: https://github.com/advisories/GHSA-9v78-h226-2rmqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05djc4LWgyMjYtMnJtcc4AA80Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-9v78-h226-2rmq
References:
- https://framework.zend.com/security/advisory/ZF2014-02
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-02.yaml
- https://github.com/advisories/GHSA-9v78-h226-2rmq
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,569,545 total
Affected Version Ranges: >= 1.12.0, < 1.12.4
Fixed in: 1.12.4
All affected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3
All unaffected versions: 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20