[jira] [Created] (IMPALA-11407) Update google-oauth-client to address CVE-2021-22573

Michael Smith (Jira) Thu, 30 Jun 2022 09:23:05 -0700

Michael Smith created IMPALA-11407:
--------------------------------------

             Summary: Update google-oauth-client to address CVE-2021-22573
                 Key: IMPALA-11407
                 URL: https://issues.apache.org/jira/browse/IMPALA-11407
             Project: IMPALA
          Issue Type: Bug
          Components: Frontend
    Affects Versions: Impala 4.1.0
            Reporter: Michael Smith



The vulnerability is that IDToken verifier does not verify if token is properly 
signed. Signature verification makes sure that the token's payload comes from 
valid provider, not from someone else. An attacker can provide a compromised 
token with custom payload. The token will pass the validation on the client 
side. We recommend upgrading to version 1.33.3 or above.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (IMPALA-11407) Update google-oauth-client to address CVE-2021-22573

Reply via email to