OESA-2025-2431

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2431

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2025-2431.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2025-2431

Upstream

CVE-2021-22573

Published

2025-10-17T14:54:28Z

Modified

2025-10-17T15:32:32.270262Z

Summary

google-oauth-java-client security update

Details

Written by Google, the Google OAuth Client Library for Java is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. The Google OAuth Client Library for Java is designed to work with any OAuth service on the web, not just with Google APIs. It is built on the Google HTTP Client Library for Java.

Security Fix(es):

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above(CVE-2021-22573)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:24.03-LTS-SP2 / google-oauth-java-client

Package

Name: google-oauth-java-client
Purl: pkg:rpm/openEuler/google-oauth-java-client&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.22.0-6.oe2403sp2

Ecosystem specific

{
    "noarch": [
        "google-oauth-java-client-1.22.0-6.oe2403sp2.noarch.rpm",
        "google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch.rpm"
    ],
    "src": [
        "google-oauth-java-client-1.22.0-6.oe2403sp2.src.rpm"
    ]
}