An update for google-oauth-java-client is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2430 Final 1.0 1.0 2025-10-17 Initial 2025-10-17 2025-10-17 openEuler SA Tool V1.0 2025-10-17 google-oauth-java-client security update An update for google-oauth-java-client is now available for openEuler-24.03-LTS-SP1 Written by Google, the Google OAuth Client Library for Java is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. The Google OAuth Client Library for Java is designed to work with any OAuth service on the web, not just with Google APIs. It is built on the Google HTTP Client Library for Java. Security Fix(es): The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above(CVE-2021-22573) An update for google-oauth-java-client is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High google-oauth-java-client https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2430 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2021-22573 https://nvd.nist.gov/vuln/detail/CVE-2021-22573 openEuler-24.03-LTS-SP1 google-oauth-java-client-1.22.0-6.oe2403sp1.src.rpm google-oauth-java-client-1.22.0-6.oe2403sp1.noarch.rpm google-oauth-java-client-help-1.22.0-6.oe2403sp1.noarch.rpm The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above 2025-10-17 CVE-2021-22573 openEuler-24.03-LTS-SP1 High 7.3 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N google-oauth-java-client security update 2025-10-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2430