Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-22573

Опубликовано: 03 мая 2022
Источник: redhat
CVSS3: 7.3
EPSS Низкий

Описание

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

A flaw was found in Google OAuth Java client's IDToken verifier, where it does not verify if the token is properly signed. This issue could allow an attacker to provide a compromised token with a custom payload that will pass the validation on the client side, allowing access to information outside of their prescribed permissions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftgoogle-oauth-clientAffected
Red Hat AMQ Broker 7google-oauth-clientNot affected
Red Hat build of Quarkusgoogle-oauth-clientNot affected
Red Hat Integration Camel K 1google-oauth-clientNot affected
Red Hat Integration Camel Quarkus 1google-oauth-clientNot affected
Red Hat Integration Data Virtualisation Operatorgoogle-oauth-clientNot affected
Red Hat JBoss Enterprise Application Platform 7google-oauth-clientNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packgoogle-oauth-clientNot affected
Red Hat JBoss Fuse 6google-oauth-clientOut of support scope
Red Hat JBoss Fuse Service Works 6google-oauth-clientOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-347
https://bugzilla.redhat.com/show_bug.cgi?id=2081879google-oauth-client: Token signature not verified

EPSS

Процентиль: 17%
0.00055
Низкий

7.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-22573

CVSS3: 8.7
ubuntu
почти 4 года назад

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

nvd логотип

CVE-2021-22573

CVSS3: 8.7
nvd
почти 4 года назад

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

debian логотип

CVE-2021-22573

CVSS3: 8.7
debian
почти 4 года назад

The vulnerability is that IDToken verifier does not verify if token is ...

suse-cvrf логотип

SUSE-SU-2024:0806-1

suse-cvrf
почти 2 года назад

Security update for google-oauth-java-client

github логотип

GHSA-hw42-3568-wj87

CVSS3: 7.3
github
почти 2 года назад

google-oauth-java-client improperly verifies cryptographic signature

EPSS

Процентиль: 17%
0.00055
Низкий

7.3 High

CVSS3