Bug 1199188 - (CVE-2021-22573) VUL-0: CVE-2021-22573: google-oauth-java-client: Token signature not verified
(CVE-2021-22573)
VUL-0: CVE-2021-22573: google-oauth-java-client: Token signature not verified
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/330598/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-04 09:08 UTC by Hu
Modified: 2022-05-04 09:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-05-04 09:08:49 UTC
CVE-2021-22573

The vulnerability is that IDToken verifier does not verify if token is properly
signed. Signature verification makes sure that the token's payload comes from
valid provider, not from someone else. An attacker can provide a compromised
token with custom payload. The token will pass the validation on the client
side. We recommend upgrading to version 1.33.3 or above

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573
https://github.com/googleapis/google-oauth-java-client/pull/872
Comment 1 Hu 2022-05-04 09:11:13 UTC
Affected:
- openSUSE:Backports:SLE-15-SP3/google-oauth-java-client 1.22.0