Bug 2081879 (CVE-2021-22573) - CVE-2021-22573 google-oauth-client: Token signature not verified
Summary: CVE-2021-22573 google-oauth-client: Token signature not verified
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22573
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2082345 2082346 2082347 2082348 2082349 2082350 2082351 2082352
Blocks: 2081880
TreeView+ depends on / blocked
 
Reported: 2022-05-04 22:31 UTC by Patrick Del Bello
Modified: 2023-02-16 19:45 UTC (History)
72 users (show)

Fixed In Version: google-oauth-java-client 1.33.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Google OAuth Java client's IDToken verifier, where it does not verify if the token is properly signed. This issue could allow an attacker to provide a compromised token with a custom payload that will pass the validation on the client side, allowing access to information outside of their prescribed permissions.
Clone Of:
Environment:
Last Closed: 2022-06-07 16:49:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:4932 0 None None None 2022-06-07 13:52:37 UTC
Red Hat Product Errata RHSA-2022:5030 0 None None None 2022-06-14 14:46:42 UTC
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:23:16 UTC
Red Hat Product Errata RHSA-2022:7177 0 None None None 2022-10-25 13:42:38 UTC

Description Patrick Del Bello 2022-05-04 22:31:59 UTC
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

https://github.com/googleapis/google-oauth-java-client/pull/872

Comment 3 Anten Skrabec 2022-05-05 20:28:18 UTC
Created byte-buddy tracking bugs for this issue:

Affects: fedora-all [bug 2082345]

Comment 11 errata-xmlrpc 2022-06-07 13:52:33 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10.2.P1

Via RHSA-2022:4932 https://access.redhat.com/errata/RHSA-2022:4932

Comment 12 Product Security DevOps Team 2022-06-07 16:49:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22573

Comment 13 errata-xmlrpc 2022-06-14 14:46:38 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Online 7.10.2.P1

Via RHSA-2022:5030 https://access.redhat.com/errata/RHSA-2022:5030

Comment 14 errata-xmlrpc 2022-07-07 14:23:11 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 17 errata-xmlrpc 2022-10-25 13:42:34 UTC
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.14.5

Via RHSA-2022:7177 https://access.redhat.com/errata/RHSA-2022:7177


Note You need to log in before you can comment on or make changes to this bug.