CVE-2021-22573

Name of the Vulnerable Software and Affected Versions google-oauth-java-client versions prior to 1.33.3

Description The vulnerability is related to the IDToken verifier not verifying if a token is properly signed. This allows an attacker to provide a compromised token with a custom payload, which will pass validation on the client side. The issue impacts users of the IdTokenVerifier class, where the verify method does not validate the signature before verifying claims. An attacker can modify the payload, such as email or phone number, and the token will still pass validation by the library. However, if the application sends the verified IdToken to another service for authentication, the risk is low because the backend of the service is expected to check the signature and fail the request.

Recommendations Update to version 1.33.3 or higher to resolve the issue. If the library is used indirectly or cannot be updated, consider using similar IdToken verifiers provided by Google that already have signature verification, such as google-auth-library-java or google-api-java-client. As a temporary workaround, consider restricting the use of the IdTokenVerifier class until a patch is available.