GHSA-3x57-m5p4-rgh4

Source

https://github.com/advisories/GHSA-3x57-m5p4-rgh4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3x57-m5p4-rgh4/GHSA-3x57-m5p4-rgh4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3x57-m5p4-rgh4

Published

2024-06-07T22:28:46Z

Modified

2024-12-04T05:38:56.535700Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

ZendOpenID potential security issue in login mechanism

Details

Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimedid and openid.endpointurl are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-20.html#positiveassertions, at least opendpoint, returnto, responsenonce, assochandle, and, if present in the response, claimed_id and identity, must be signed.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T22:28:46Z"
}

References

Affected packages

Packagist / zendframework/zendopenid

Package

Name: zendframework/zendopenid
Purl: pkg:composer/zendframework/zendopenid

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.2

Affected versions

2.*

2.0.0

2.0.1