MidnightBSD

Advisories for openid

CVE-2011-4314 MEDIUM

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
kay_framework_project kay_framework 0.8.0
redhat jboss_enterprise_application_platform 5.1.0
openid openid4java 0.9.4.339
kay_framework_project kay_framework *
kay_framework_project kay_framework 0.2.0
redhat jboss_enterprise_application_platform 5.1.2
kay_framework_project kay_framework 0.0.0
kay_framework_project kay_framework 0.1.0
kay_framework_project kay_framework 0.3.0
openid openid4java 0.9.2
redhat jboss_enterprise_application_platform 5.1.1
openid openid4java 0.9.3
kay_framework_project kay_framework 1.0.0
openid openid4java *
CVE-2019-11027 HIGH

Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
openid ruby-openid *
CVE-2019-9837 MEDIUM

Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid' scope and a prompt=none value. This allows phishing attacks against the authorization flow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
openid openid_connect *