CVE-2021-22573

NameCVE-2021-22573
DescriptionThe vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1010657

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
google-oauth-client-java (PTS)bullseye1.28.0-2vulnerable
bookworm, sid, trixie1.34.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
google-oauth-client-javasource(unstable)1.33.3-11010657

Notes

[bullseye] - google-oauth-client-java <no-dsa> (Minor issue)
https://github.com/googleapis/google-oauth-java-client/issues/786
https://github.com/googleapis/google-oauth-java-client/pull/861
https://github.com/googleapis/google-oauth-java-client/pull/872 (1.33.3)
https://github.com/googleapis/google-oauth-java-client/commit/22419d60579ef4c1a8a256a90e6ca7bc58f09aa1 (v1.33.3)
Search for package or bug name: Reporting problems