CVE-2010-3686

Sažetak

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Reference

http://drupal.org/node/880476
http://drupal.org/node/880480
http://marc.info/?l=oss-security&m=128418560705305&w=2
http://marc.info/?l=oss-security&m=128440896914512&w=2
http://www.debian.org/security/2010/dsa-2113
http://www.securityfocus.com/bid/42388

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

30-09-2010 - 04:00

Objavljeno

29-09-2010 - 17:00