Site icon API Security Blog

Security Bulletin: There is a vulnerability in google-oauth-client-1.25.0.jar used by IBM Maximo Asset Management application (CVE-2020-7692 and CVE-2021-22573)

Summary Security Bulletin: There is a vulnerability in google-oauth-client-1.25.0.jar used by IBM Maximo Asset Management application (CVE-2020-7692 and CVE-2021-22573) Vulnerability Details ** CVEID: CVE-2020-7692 DESCRIPTION: **Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource. CVSS Base score: 7.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184858 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) ** CVEID: CVE-2021-22573 DESCRIPTION: **Google OAuth Client Library for Java could allow a remote attacker to bypass security restrictions, caused by improper verification of token signatures. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass verification on the client side. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226003 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions Product versions affected: Affected Product(s)| Version(s) —|— IBM Maximo Asset Management| 7.6.1.2 IBM Maximo Asset Management| 7.6.1.3 To determine the core product version, log in and view System…Read More

Exit mobile version