All the vulnerabilites related to Google LLC - Google-oauth-java-client
cve-2021-22573
Vulnerability from cvelistv5
Published
2022-05-03 15:45
Modified
2024-08-03 18:44
Severity ?
EPSS score ?
Summary
Incorrect signature verification on Google-oauth-java-client
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/googleapis/google-oauth-java-client/pull/872 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Google LLC | Google-oauth-java-client |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:44:13.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/googleapis/google-oauth-java-client/pull/872"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Google-oauth-java-client",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "1.33.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token\u0027s payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T15:45:11",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/googleapis/google-oauth-java-client/pull/872"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Incorrect signature verification on Google-oauth-java-client",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2021-22573",
"STATE": "PUBLIC",
"TITLE": "Incorrect signature verification on Google-oauth-java-client"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Google-oauth-java-client",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.33.2"
}
]
}
}
]
},
"vendor_name": "Google LLC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token\u0027s payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347 Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/googleapis/google-oauth-java-client/pull/872",
"refsource": "MISC",
"url": "https://github.com/googleapis/google-oauth-java-client/pull/872"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2021-22573",
"datePublished": "2022-05-03T15:45:12",
"dateReserved": "2021-01-05T00:00:00",
"dateUpdated": "2024-08-03T18:44:13.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}