CVE-2021-22573

EPSS 0.05%
Published 03.05.2022 16:15:18
Last modified 21.11.2024 05:50:21
Source cve-coordination@google.com
Teams watchlist Login
Open Login

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Oauth Client Library For Java Version < 1.33.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.165

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.3	2.1	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
cve-coordination@google.com	8.7	2.3	5.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/googleapis/google-oauth-java-client/pull/872

Patch

Third Party Advisory

Release Notes

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2021-22573

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-22573

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-22573

EUVD