7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3x57-m5p4-rgh4

EPSS Score

CWE

CWE-287

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3x57-m5p4-rgh4

GHSA-3x57-m5p4-rgh4: ZendOpenID potential security issue in login mechanism

Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3x57-m5p4-rgh4

EPSS Score

CWE

CWE-287

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zendframework/zendopenid	composer	>= 2.0.0, < 2.0.2	2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete signature validation in the verify method. The patch adds 1) a check for association between op_endpoint and assoc_handle, and 2) validation that all parameters in _signParams array (and claimed_id/identity when present) are included in the signed parameters. The pre-patch version lacked these checks, enabling the described authentication bypass. The function's role in processing OpenID responses and the specific security-focused changes in the commit confirm this as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Usin* t** *onsum*r *ompon*nt o* Z*n*Op*nI* (or Z*n*_Op*nI* in Z**), it is possi*l* to lo*in usin* *n *r*itr*ry Op*nI* ***ount (wit*out knowin* *ny s**r*t in*orm*tion) *y usin* * m*li*ious Op*nI* Provi**r. T**t m**ns Op*nI* it is possi*l* to lo*in usi

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* si*n*tur* v*li**tion in t** v*ri*y m*t*o*. T** p*t** ***s *) * ****k *or *sso*i*tion **tw**n op_*n*point *n* *sso*_**n*l*, *n* *) v*li**tion t**t *ll p*r*m*t*rs in _si*nP*r*ms *rr*y (*n* *l*im**_i*/i**ntity w**

7.5

Basic Information

Concerned about an active attack path?

GHSA-3x57-m5p4-rgh4: ZendOpenID potential security issue in login mechanism

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI