CVE-2021-22573 Vulnerability Details

  /     /     /  

CVE-2021-22573 Metadata Quick Info

CVE Published: 03/05/2022 | CVE Updated: 03/08/2024 | CVE Year: 2021
Source: Google | Vendor: Google LLC | Product: Google-oauth-java-client
Status : PUBLISHED

---

CVE-2021-22573 Description

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token\'s payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

Metrics

CVSS Version: 3.1 | Base Score: 8.7 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-347
CWE Name: CWE-347 Improper Verification of Cryptographic Signature
Source: Google LLC

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).