Authentication Bypass in Zend Framework Components from Zend
CVE-2014-8088

Currently unrated

Key Information:

Vendor: Zend
Status: Zend Framework
Vendor: CVE Published:; 22 October 2014

What is CVE-2014-8088?

The Zend Framework contains a vulnerability in the Zend_Ldap class and component, which permits remote attackers to bypass authentication mechanisms. This is achieved when a password begins with a null byte, resulting in an unauthenticated bind. This loophole could potentially enable malicious actors to gain unauthorized access to systems that rely on vulnerable versions of the framework.

References

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

http://www.openwall.com/lists/oss-security/2014/10/10/5

mailing-listx_refsource_MLIST

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2014
Vulnerability Reserved
Oct 10, 2014