Vulnerability #1065
Description
Describe the bug
A clear and concise description of what the bug is.
Introduced through : com.github.triplet.gradle:play-publisher@3.7.0
Fixed in: com.google.oauth-client:google-oauth-client@1.33.3
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the IdTokenVerifier method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload.
How To Reproduce
Versions
play-publisher@3.7.0
- Gradle Play Publisher:
- Gradle Wrapper:
- Android Gradle Plugin:
Tasks executed
What tasks did you run? For example, publishBundle.
publishReleaseBundle
Expected behavior
A clear and concise description of what you expected to happen.
Additional context (if a crash, provide stack trace)
Add any other context about the problem here. If this bug is a crash, run the task with
--stacktrace to get the full context.