{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"google-oauth-java-client security update", "category":"general", "title":"Synopsis" }, { "text":"An update for google-oauth-java-client is now available for openEuler-24.03-LTS-SP2", "category":"general", "title":"Summary" }, { "text":"Written by Google, the Google OAuth Client Library for Java is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. The Google OAuth Client Library for Java is designed to work with any OAuth service on the web, not just with Google APIs. It is built on the Google HTTP Client Library for Java.\n\nSecurity Fix(es):\n\nThe vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above(CVE-2021-22573)", "category":"general", "title":"Description" }, { "text":"An update for google-oauth-java-client is now available for openEuler-24.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"google-oauth-java-client", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2431", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2431" }, { "summary":"CVE-2021-22573", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2021-22573&packageName=google-oauth-java-client" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22573" }, { "summary":"openEuler-SA-2025-2431 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-2431.json" } ], "title":"An update for google-oauth-java-client is now available for openEuler-24.03-LTS-SP2", "tracking":{ "initial_release_date":"2025-10-17T22:57:18+08:00", "revision_history":[ { "date":"2025-10-17T22:57:18+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-10-17T22:57:18+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-10-17T22:57:18+08:00", "id":"openEuler-SA-2025-2431", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"openEuler-24.03-LTS-SP2", "name":"openEuler-24.03-LTS-SP2" }, "name":"openEuler-24.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"google-oauth-java-client-1.22.0-6.oe2403sp2.noarch.rpm", "name":"google-oauth-java-client-1.22.0-6.oe2403sp2.noarch.rpm" }, "name":"google-oauth-java-client-1.22.0-6.oe2403sp2.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch.rpm", "name":"google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch.rpm" }, "name":"google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"google-oauth-java-client-1.22.0-6.oe2403sp2.src.rpm", "name":"google-oauth-java-client-1.22.0-6.oe2403sp2.src.rpm" }, "name":"google-oauth-java-client-1.22.0-6.oe2403sp2.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"google-oauth-java-client-1.22.0-6.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.noarch", "name":"google-oauth-java-client-1.22.0-6.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch", "name":"google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"google-oauth-java-client-1.22.0-6.oe2403sp2.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.src", "name":"google-oauth-java-client-1.22.0-6.oe2403sp2.src as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-22573", "notes":[ { "text":"The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.src" ], "details":"google-oauth-java-client security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2431" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:google-oauth-java-client-help-1.22.0-6.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:google-oauth-java-client-1.22.0-6.oe2403sp2.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-22573" } ] }