VYPR
Unrated severityNVD Advisory· Published Nov 16, 2014· Updated Jun 17, 2026

CVE-2014-2684

CVE-2014-2684

Description

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • Zend/Framework2 versions
    cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*range: <=1.12.4
    • (no CPE)range: <1.12.4
  • Zend/Zendopenid2 versions
    cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*range: <=2.0.1
    • (no CPE)range: <2.0.2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.