CVE-2021-22573
Summary
| CVE | CVE-2021-22573 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-05-03 16:15:00 UTC |
|---|
| Updated | 2022-05-10 23:51:00 UTC |
|---|
| Description | The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| chore(main): release 1.33.3 by release-please[bot] · Pull Request #872 · googleapis/google-oauth-java-client · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 184756 Debian Security Update for google-oauth-client-java (CVE-2021-22573)
- 755931 SUSE Enterprise Linux Security Update for google-oauth-java-client (SUSE-SU-2024:0806-1)
- 755932 SUSE Enterprise Linux Security Update for google-oauth-java-client (SUSE-SU-2024:0806-1)
- 755933 SUSE Enterprise Linux Security Update for google-oauth-java-client (SUSE-SU-2024:0806-1)
- 755934 SUSE Enterprise Linux Security Update for google-oauth-java-client (SUSE-SU-2024:0806-1)
- 998007 Java (Maven) Security Update for com.google.oauth-client:google-oauth-client (GHSA-hw42-3568-wj87)
