Improper Verification of Cryptographic Signature Affecting com.google.oauth-client:google-oauth-client Open this link in a new tab package, versions [,1.33.3)


0.0
high
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMGOOGLEOAUTHCLIENT-2807808

  • published

    4 May 2022

  • disclosed

    4 May 2022

  • credit

    tamjidrahat

How to fix?

Upgrade com.google.oauth-client:google-oauth-client to version 1.33.3 or higher.

Overview

com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the IdTokenVerifier method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload.