{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12967?format=json","vulnerability_id":"VCID-wyyt-3d6v-qbc4","summary":"google-oauth-java-client improperly verifies cryptographic signature\n### Summary\nThe vulnerability impacts only users of the `IdTokenVerifier` class. The verify method in `IdTokenVerifier` does not validate the signature before verifying the claims (e.g., iss, aud, etc.). Signature verification makes sure that the token's payload comes from valid provider, not from someone else.\n\nAn attacker can provide a compromised token with modified payload like email or phone number. The token will pass the validation by the library. Once verified, modified payload can be used by the application. \n\nIf the application sends verified `IdToken` to other service as is like for auth - the risk is low, because the backend of the service is expected to check the signature and fail the request. \n\nReporter: [Tamjid al Rahat](https://github.com/tamjidrahat), contributor\n\n### Patches\nThe issue was fixed in the 1.33.3 version of the library\n\n### Proof of Concept\nTo reproduce, one needs to call the verify function with an IdToken instance that contains a malformed signature to successfully bypass the checks inside the verify function.\n\n```\n  /** A default http transport factory for testing */\n  static class DefaultHttpTransportFactory implements HttpTransportFactory {\n    public HttpTransport create() {\n      return new NetHttpTransport();\n    }\n  }\n\n// The below token has some modified bits in the signature\n private static final String SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE =    \n\"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlZjc3YjM4YTFiMDM3MDQ4NzA0MzkxNmFjYmYyN2Q3NG\" +\n\"VkZDA4YjEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tL2F1ZGllbm\" +\n\"NlIiwiZXhwIjoxNTg3NjMwNTQzLCJpYXQiOjE1ODc2MjY5NDMsImlzcyI6InNvbWUgaXNzdWVy\" +\n\"Iiwic3ViIjoic29tZSBzdWJqZWN0In0.gGOQW0qQgs4jGUmCsgRV83RqsJLaEy89-ZOG6p1u0Y26\" +\n\"FyY06b6Odgd7xXLsSTiiSnch62dl0Lfi9D0x2ByxvsGOCbovmBl2ZZ0zHr1wpc4N0XS9lMUq5RJ\" + \n\"QbonDibxXG4nC2zroDfvD0h7i-L8KMXeJb9pYwW7LkmrM_YwYfJnWnZ4bpcsDjojmPeUBlACg7tjjOgBFby\" +\n\"QZvUtaERJwSRlaWibvNjof7eCVfZChE0PwBpZc_cGqSqKXv544L4ttqdCnm0NjqrTATXwC4gYx\" + \n\"ruevkjHfYI5ojcQmXoWDJJ0-_jzfyPE4MFFdCFgzLgnfIOwe5ve0MtquKuv2O0pgvg\";\n\nIdTokenVerifier tokenVerifier =\n        new IdTokenVerifier.Builder()\n            .setClock(clock)\n            .setCertificatesLocation(\"https://www.googleapis.com/robot/v1/metadata/x509/integration-tests%40chingor-test.iam.gserviceaccount.com\")\n            .setHttpTransportFactory(new DefaultHttpTransportFactory())\n            .build();\n\n// verification will return true despite modified signature for versions <1.33.3\ntokenVerifier.verify(IdToken.parse(GsonFactory.getDefaultInstance(), SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE));\n\n```\n\n### Remediation and Mitigation\nUpdate to the version 1.33.3 or higher \n\nIf the library used indirectly or cannot be updated for any reason you can use similar IdToken verifiers provided by Google that already has signature verification. For example: \n[google-auth-library-java](https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/TokenVerifier.java)\n[google-api-java-client](https://github.com/googleapis/google-api-java-client/blob/main/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java)\n\n### Timeline\nDate reported: 12 Dec 2021\nDate fixed: 13 Apr 2022\nDate disclosed: 2 May 2022\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [google-oauth-java-client](https://github.com/googleapis/google-oauth-java-client) repo","aliases":[{"alias":"CVE-2021-22573"},{"alias":"GHSA-hw42-3568-wj87"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/924237?format=json","purl":"pkg:deb/debian/google-oauth-client-java@1.33.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.33.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/924235?format=json","purl":"pkg:deb/debian/google-oauth-client-java@1.34.1-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.34.1-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1056512?format=json","purl":"pkg:deb/debian/google-oauth-client-java@1.34.1-2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.34.1-2"},{"url":"http://public2.vulnerablecode.io/api/packages/46383?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.33.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.3"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1056511?format=json","purl":"pkg:deb/debian/google-oauth-client-java@1.28.0-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.28.0-2"},{"url":"http://public2.vulnerablecode.io/api/packages/924236?format=json","purl":"pkg:deb/debian/google-oauth-client-java@1.28.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/google-oauth-client-java@1.28.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/209204?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-alpha","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-alpha"},{"url":"http://public2.vulnerablecode.io/api/packages/209205?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209206?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.5.1-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.1-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209207?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.5.2-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.2-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209208?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.6.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.6.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209209?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.7.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.7.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209210?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.8.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.8.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209211?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.9.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.9.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209212?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.10.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.10.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209213?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.10.1-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.10.1-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209214?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.11.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.11.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209215?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.12.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.12.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209216?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.13.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.13.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209217?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.13.1-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.13.1-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209218?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.14.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.14.0-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209219?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.14.1-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.14.1-beta"},{"url":"http://public2.vulnerablecode.io/api/packages/209220?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.15.0-rc","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.15.0-rc"},{"url":"http://public2.vulnerablecode.io/api/packages/143407?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.16.0-rc","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nxra-x3yv-5qd6"},{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.16.0-rc"},{"url":"http://public2.vulnerablecode.io/api/packages/209221?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.17.0-rc","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.17.0-rc"},{"url":"http://public2.vulnerablecode.io/api/packages/209222?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.18.0-rc","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.18.0-rc"},{"url":"http://public2.vulnerablecode.io/api/packages/209223?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.19.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.19.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209224?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.20.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209225?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.21.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.21.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209226?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.22.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.22.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209227?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.23.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209228?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.24.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.24.1"},{"url":"http://public2.vulnerablecode.io/api/packages/209229?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.25.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.25.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209230?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.26.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209231?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.27.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.27.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209232?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.28.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209233?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.29.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.29.0"},{"url":"http://public2.vulnerablecode.io/api/packages/209234?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.29.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.29.2"},{"url":"http://public2.vulnerablecode.io/api/packages/209235?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.30.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.1"},{"url":"http://public2.vulnerablecode.io/api/packages/209236?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.30.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.2"},{"url":"http://public2.vulnerablecode.io/api/packages/209237?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.30.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.3"},{"url":"http://public2.vulnerablecode.io/api/packages/209238?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.30.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/209239?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.30.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.5"},{"url":"http://public2.vulnerablecode.io/api/packages/209240?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.30.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pwtj-az3g-zka3"},{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.6"},{"url":"http://public2.vulnerablecode.io/api/packages/74224?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.0"},{"url":"http://public2.vulnerablecode.io/api/packages/299644?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.1"},{"url":"http://public2.vulnerablecode.io/api/packages/299645?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.2"},{"url":"http://public2.vulnerablecode.io/api/packages/299646?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4"},{"url":"http://public2.vulnerablecode.io/api/packages/299647?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4-sp.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.4-sp.1"},{"url":"http://public2.vulnerablecode.io/api/packages/299648?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.5"},{"url":"http://public2.vulnerablecode.io/api/packages/299649?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.32.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.32.1"},{"url":"http://public2.vulnerablecode.io/api/packages/299650?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.33.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.0"},{"url":"http://public2.vulnerablecode.io/api/packages/299651?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.33.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.1"},{"url":"http://public2.vulnerablecode.io/api/packages/299652?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.33.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wyyt-3d6v-qbc4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.2"}],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22573.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22573.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22573","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17215","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17414","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17358","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17299","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17307","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17338","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17245","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17224","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17164","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17024","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17114","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17205","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17176","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17303","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17471","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17518","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17298","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17389","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17449","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17461","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22573"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/pull/872","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/pull/872"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22573","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22573"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657","reference_id":"1010657","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2081879","reference_id":"2081879","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2081879"},{"reference_url":"https://github.com/advisories/GHSA-hw42-3568-wj87","reference_id":"GHSA-hw42-3568-wj87","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hw42-3568-wj87"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4932","reference_id":"RHSA-2022:4932","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4932"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5030","reference_id":"RHSA-2022:5030","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5030"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7177","reference_id":"RHSA-2022:7177","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7177"}],"weaknesses":[{"cwe_id":347,"name":"Improper Verification of Cryptographic Signature","description":"The product does not verify, or incorrectly verifies, the cryptographic signature for data."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":"0.5","weighted_severity":"8.0","risk_score":4.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wyyt-3d6v-qbc4"}