Site icon API Security Blog

Security Bulletin: There is a vulnerability in google-oauth-client-1.25.0.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2020-7692 and CVE-2021-22573)

Summary There is a vulnerability in google-oauth-client-1.25.0.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details ** CVEID: CVE-2020-7692 DESCRIPTION: **Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource. CVSS Base score: 7.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184858 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) ** CVEID: CVE-2021-22573 DESCRIPTION: **Google OAuth Client Library for Java could allow a remote attacker to bypass security restrictions, caused by improper verification of token signatures. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass verification on the client side. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226003 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Maximo Application Suite – Manage Component| MAS 8.10.0 – Manage 8.6.0 Remediation/Fixes For IBM Maximo Manage application in IBM Maximo Application Suite: MAS| Manage Patch Fix or Release —|—…Read More

Exit mobile version