Security News > 2022 > May > High-Severity Bug Reported in Google's OAuth Client Library for Java

High-Severity Bug Reported in Google's OAuth Client Library for Java
2022-05-19 03:05

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.

Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.

"Signature verification makes sure that the token's payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side."

The open-source Java library, built on the Google HTTP Client Library for Java, makes it possible to obtain access tokens to any service on the web that supports the OAuth authorization standard.

Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it's only fixing necessary bugs, indicative of the severity of the vulnerability.

Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.


News URL

https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-03 CVE-2021-22573 Improper Verification of Cryptographic Signature vulnerability in Google Oauth Client Library for Java
The vulnerability is that IDToken verifier does not verify if token is properly signed.
network
low complexity
google CWE-347
7.3