CVE-2021-22573
Authentication Bypass vulnerability in google-oauth-client (Maven)
What is CVE-2021-22573 About?
This vulnerability affects users of the `IdTokenVerifier` class, where the `verify` method fails to validate the token's signature before checking claims. Attackers can provide a compromised token with a modified payload (e.g., email or phone number) that will pass the library's validation. This allows for an authentication bypass and data tampering if the application uses these modified claims, but has low risk if other services re-verify the signature. Exploitation involves crafting a token with a malformed signature and modified claims.
Affected Software
Technical Details
The vulnerability lies within the IdTokenVerifier class, where the verify method's implementation prior to version 1.33.3 does not enforce signature validation before proceeding to verify the token's claims (such as iss, aud). An attacker can craft a JSON Web Token (JWT) with a malformed or invalid signature but with modified claims (e.g., changing the 'sub' or 'email' fields). Because the library checks claims before the signature, the token will be considered valid by the IdTokenVerifier, allowing the application to process the attacker-controlled payload. This can lead to authentication bypass by assuming another identity or data tampering, unless a subsequent service explicitly re-verifies the token's signature, mitigating some impact.
What is the Impact of CVE-2021-22573?
Successful exploitation may allow attackers to bypass authentication, impersonate users based on manipulated claims, or introduce tampered data into an application.
What is the Exploitability of CVE-2021-22573?
Exploitation requires the attacker to provide a malicious IdToken to an application using the vulnerable IdTokenVerifier. This is typically a remote attack. Authentication is implicitly bypassed by the successful verification of the crafted token. No specific privilege is needed other than the ability to submit a token for verification. The complexity is low to moderate, requiring the attacker to create a token with a malformed signature and desired claim modifications. The risk is highest for applications that solely rely on the IdTokenVerifier to authenticate and process claims without subsequent signature re-verification.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22573?
Available Upgrade Options
- com.google.oauth-client:google-oauth-client
- >1.16.0-rc, <1.33.3 → Upgrade to 1.33.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87
- https://github.com/googleapis/google-oauth-java-client/pull/872
- https://nvd.nist.gov/vuln/detail/CVE-2021-22573
- https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0
- https://osv.dev/vulnerability/GHSA-hw42-3568-wj87
- https://github.com/googleapis/google-oauth-java-client
- https://github.com/googleapis/google-oauth-java-client/pull/872
What are Similar Vulnerabilities to CVE-2021-22573?
Similar Vulnerabilities: CVE-2022-21449 , CVE-2020-17522 , CVE-2020-19349 , CVE-2019-12270 , CVE-2018-1000845
