Vulnerability Details : CVE-2021-22573
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
Products affected by CVE-2021-22573
- cpe:2.3:a:google:oauth_client_library_for_java:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22573
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22573
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
|
8.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
2.3
|
5.8
|
Google Inc. | |
|
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
2.1
|
5.2
|
NIST |
CWE ids for CVE-2021-22573
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by:
- cve-coordination@google.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2021-22573
-
https://github.com/googleapis/google-oauth-java-client/pull/872
chore(main): release 1.33.3 by release-please[bot] · Pull Request #872 · googleapis/google-oauth-java-client · GitHubIssue Tracking;Patch;Release Notes;Third Party Advisory
Jump to