CVE-2021-22573
Description
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the tokens payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
Risk Information
Base Score
7.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.055
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-22573 are fixed in Google-google-oauth-client 1.33.3 | Windows |
| Vulnerabilities CVE-2021-22573 are fixed in Google-google-oauth-client for Linux 1.33.3 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234