Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/12967?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12967?format=api", "vulnerability_id": "VCID-wyyt-3d6v-qbc4", "summary": "google-oauth-java-client improperly verifies cryptographic signature\n### Summary\nThe vulnerability impacts only users of the `IdTokenVerifier` class. The verify method in `IdTokenVerifier` does not validate the signature before verifying the claims (e.g., iss, aud, etc.). Signature verification makes sure that the token's payload comes from valid provider, not from someone else.\n\nAn attacker can provide a compromised token with modified payload like email or phone number. The token will pass the validation by the library. Once verified, modified payload can be used by the application. \n\nIf the application sends verified `IdToken` to other service as is like for auth - the risk is low, because the backend of the service is expected to check the signature and fail the request. \n\nReporter: [Tamjid al Rahat](https://github.com/tamjidrahat), contributor\n\n### Patches\nThe issue was fixed in the 1.33.3 version of the library\n\n### Proof of Concept\nTo reproduce, one needs to call the verify function with an IdToken instance that contains a malformed signature to successfully bypass the checks inside the verify function.\n\n```\n /** A default http transport factory for testing */\n static class DefaultHttpTransportFactory implements HttpTransportFactory {\n public HttpTransport create() {\n return new NetHttpTransport();\n }\n }\n\n// The below token has some modified bits in the signature\n private static final String SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE = \n\"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlZjc3YjM4YTFiMDM3MDQ4NzA0MzkxNmFjYmYyN2Q3NG\" +\n\"VkZDA4YjEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tL2F1ZGllbm\" +\n\"NlIiwiZXhwIjoxNTg3NjMwNTQzLCJpYXQiOjE1ODc2MjY5NDMsImlzcyI6InNvbWUgaXNzdWVy\" +\n\"Iiwic3ViIjoic29tZSBzdWJqZWN0In0.gGOQW0qQgs4jGUmCsgRV83RqsJLaEy89-ZOG6p1u0Y26\" +\n\"FyY06b6Odgd7xXLsSTiiSnch62dl0Lfi9D0x2ByxvsGOCbovmBl2ZZ0zHr1wpc4N0XS9lMUq5RJ\" + \n\"QbonDibxXG4nC2zroDfvD0h7i-L8KMXeJb9pYwW7LkmrM_YwYfJnWnZ4bpcsDjojmPeUBlACg7tjjOgBFby\" +\n\"QZvUtaERJwSRlaWibvNjof7eCVfZChE0PwBpZc_cGqSqKXv544L4ttqdCnm0NjqrTATXwC4gYx\" + \n\"ruevkjHfYI5ojcQmXoWDJJ0-_jzfyPE4MFFdCFgzLgnfIOwe5ve0MtquKuv2O0pgvg\";\n\nIdTokenVerifier tokenVerifier =\n new IdTokenVerifier.Builder()\n .setClock(clock)\n .setCertificatesLocation(\"https://www.googleapis.com/robot/v1/metadata/x509/integration-tests%40chingor-test.iam.gserviceaccount.com\")\n .setHttpTransportFactory(new DefaultHttpTransportFactory())\n .build();\n\n// verification will return true despite modified signature for versions <1.33.3\ntokenVerifier.verify(IdToken.parse(GsonFactory.getDefaultInstance(), SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE));\n\n```\n\n### Remediation and Mitigation\nUpdate to the version 1.33.3 or higher \n\nIf the library used indirectly or cannot be updated for any reason you can use similar IdToken verifiers provided by Google that already has signature verification. For example: \n[google-auth-library-java](https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/TokenVerifier.java)\n[google-api-java-client](https://github.com/googleapis/google-api-java-client/blob/main/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java)\n\n### Timeline\nDate reported: 12 Dec 2021\nDate fixed: 13 Apr 2022\nDate disclosed: 2 May 2022\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [google-oauth-java-client](https://github.com/googleapis/google-oauth-java-client) repo", "aliases": [ { "alias": "CVE-2021-22573" }, { "alias": "GHSA-hw42-3568-wj87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924237?format=api", "purl": "pkg:deb/debian/google-oauth-client-java@1.33.3-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.33.3-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/924235?format=api", "purl": "pkg:deb/debian/google-oauth-client-java@1.34.1-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.34.1-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1056512?format=api", "purl": "pkg:deb/debian/google-oauth-client-java@1.34.1-2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.34.1-2" }, { "url": "http://public2.vulnerablecode.io/api/packages/46383?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.33.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.3" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1056511?format=api", "purl": "pkg:deb/debian/google-oauth-client-java@1.28.0-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.28.0-2" }, { "url": "http://public2.vulnerablecode.io/api/packages/924236?format=api", "purl": "pkg:deb/debian/google-oauth-client-java@1.28.0-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.28.0-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/209204?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-alpha", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-alpha" }, { "url": "http://public2.vulnerablecode.io/api/packages/209205?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209206?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.5.1-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.1-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209207?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.5.2-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.2-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209208?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.6.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.6.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209209?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.7.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.7.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209210?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.8.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.8.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209211?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.9.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.9.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209212?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.10.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.10.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209213?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.10.1-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.10.1-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209214?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.11.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.11.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209215?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.12.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.12.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209216?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.13.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.13.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209217?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.13.1-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.13.1-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209218?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.14.0-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.14.0-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209219?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.14.1-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.14.1-beta" }, { "url": "http://public2.vulnerablecode.io/api/packages/209220?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.15.0-rc", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.15.0-rc" }, { "url": "http://public2.vulnerablecode.io/api/packages/143407?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.16.0-rc", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-nxra-x3yv-5qd6" }, { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.16.0-rc" }, { "url": "http://public2.vulnerablecode.io/api/packages/209221?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.17.0-rc", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.17.0-rc" }, { "url": "http://public2.vulnerablecode.io/api/packages/209222?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.18.0-rc", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.18.0-rc" }, { "url": "http://public2.vulnerablecode.io/api/packages/209223?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.19.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209224?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.20.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209225?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.21.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.21.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209226?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.22.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.22.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209227?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.23.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.23.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209228?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.24.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.24.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/209229?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.25.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209230?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.26.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.26.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209231?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.27.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.27.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209232?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.28.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209233?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.29.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.29.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/209234?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.29.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.29.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/209235?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.30.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/209236?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.30.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/209237?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.30.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/209238?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.30.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/209239?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.30.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/209240?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.30.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/74224?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.31.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/299644?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.31.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/299645?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.31.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/299646?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/299647?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4-sp.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4-sp.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/299648?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.31.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/299649?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.32.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.32.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/299650?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.33.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/299651?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.33.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/299652?format=api", "purl": "pkg:maven/com.google.oauth-client/google-oauth-client@1.33.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wyyt-3d6v-qbc4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.2" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22573.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22573.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17245", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17303", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17471", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17518", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17298", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17389", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17449", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17461", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17414", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17358", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17299", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17307", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17338", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22573" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573" }, { "reference_url": "https://github.com/googleapis/google-oauth-java-client", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/googleapis/google-oauth-java-client" }, { "reference_url": "https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0" }, { "reference_url": "https://github.com/googleapis/google-oauth-java-client/pull/872", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/googleapis/google-oauth-java-client/pull/872" }, { "reference_url": "https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22573", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22573" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657", "reference_id": "1010657", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081879", "reference_id": "2081879", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081879" }, { "reference_url": "https://github.com/advisories/GHSA-hw42-3568-wj87", "reference_id": "GHSA-hw42-3568-wj87", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hw42-3568-wj87" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4932", "reference_id": "RHSA-2022:4932", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4932" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5030", "reference_id": "RHSA-2022:5030", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5030" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5532", "reference_id": "RHSA-2022:5532", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5532" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7177", "reference_id": "RHSA-2022:7177", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7177" } ], "weaknesses": [ { "cwe_id": 347, "name": "Improper Verification of Cryptographic Signature", "description": "The product does not verify, or incorrectly verifies, the cryptographic signature for data." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wyyt-3d6v-qbc4" }