#VU64471 Improper Verification of Cryptographic Signature in Google API Client Library for Java


Published: 2022-06-17

Vulnerability identifier: #VU64471

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22573

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google API Client Library for Java
Universal components / Libraries / Libraries used by multiple products

Vendor: Google

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to IDToken verifier does not verify if token is properly signed. A remote authenticated user can provide a compromised token with custom payload and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Google API Client Library for Java: 1.19.0 - 1.33.2

External links
http://github.com/googleapis/google-oauth-java-client/pull/872
http://bugzilla.redhat.com/show_bug.cgi?id=2081879

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for google-oauth-java-client
Multiple vulnerabilities in IBM Maximo Application Suite - Manage Component
Multiple vulnerabilities in IBM Maximo Asset Management
Improper verification of cryptographic signature in IBM QRadar SIEM
Multiple vulnerabilities in Autodesk InfraWorks
Information disclosure in Red Hat Camel for Spring Boot
Improper Verification of Cryptographic Signature in Red hat Fuse
Multiple vulnerabilities in Red Hat Fuse
Improper Verification of Cryptographic Signature in Google API Client Library for Java