CVE-2021-22573 is a vulnerability in Google’s OAuth client for Java, with a severity score of 8.7 out of 10 on the CVSS scale.
What Causes the CVE-2021-22573 Vulnerability?
The vulnerability stems from the fact that “IDToken verifier does not verify if token is properly signed,” according to the security advisory. Signature verification is needed so that it is known that the token’s payload comes from a valid provider.
“An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above,” the advisory added. The issue was discovered and reported on March 12 by Tamjid Al Rahat, a Ph.D. student of Computer Science at the University of Virginia. He has been awarded $5,000 for disclosing the flaw, according to Google’s bug bounty program.
Earlier this month, a phishing attack leveraging Google’s SMTP relay service was detected delivering phishing emails to users. The attack was observed by Avanan security researchers.