CVE-2021-22573 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-22573 PUBLISHED

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

EPSS 0.05% · 17.3th percentile

Risk Scores

EPSS Score

0.05%

17.3th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:22.04:LTS	google-oauth-client-java	0, 1.28.0-2
Ubuntu:24.04:LTS	google-oauth-client-java	0, 1.34.1-2
Ubuntu:25.10	google-oauth-client-java	0, 1.34.1-2

Timeline

May 3, 2022 CVE Published
May 3, 2022 PoC Published
May 4, 2022 EPSS Score
May 10, 2022 CVE Updated
May 21, 2022 PoC Published
Jun 22, 2022 EPSS Score
Aug 11, 2022 EPSS Score
Sep 29, 2022 EPSS Score
Nov 17, 2022 EPSS Score
Jan 5, 2023 EPSS Score
Feb 23, 2023 EPSS Score
Mar 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2021-22573 third-party-advisory
https://github.com/googleapis/google-oauth-java-client/pull/872 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-22573 third-party-advisory

Open in Interactive Console →