message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| kay_framework_project | kay_framework | 0.8.0 |
| redhat | jboss_enterprise_application_platform | 5.1.0 |
| openid | openid4java | 0.9.4.339 |
| kay_framework_project | kay_framework | * |
| kay_framework_project | kay_framework | 0.2.0 |
| redhat | jboss_enterprise_application_platform | 5.1.2 |
| kay_framework_project | kay_framework | 0.0.0 |
| kay_framework_project | kay_framework | 0.1.0 |
| kay_framework_project | kay_framework | 0.3.0 |
| openid | openid4java | 0.9.2 |
| redhat | jboss_enterprise_application_platform | 5.1.1 |
| openid | openid4java | 0.9.3 |
| kay_framework_project | kay_framework | 1.0.0 |
| openid | openid4java | * |
Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openid | ruby-openid | * |
Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid' scope and a prompt=none value. This allows phishing attacks against the authorization flow.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openid | openid_connect | * |