CVE-2021-22573 is a vulnerability in Google Oauth Client Library For Java
Published on May 3, 2022
Incorrect signature verification on Google-oauth-java-client
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
Vulnerability Analysis
CVE-2021-22573 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Products Associated with CVE-2021-22573
Want to know whenever a new CVE is published for Google Oauth Client Library For Java? stack.watch will email you.
Affected Versions
Google LLC Google-oauth-java-client:- Version unspecified and below 1.33.2 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2021-22573
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | com.google.oauth-client:google-oauth-client | >= 1.16.0-rc, < 1.33.3 | 1.33.3 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.