Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability #1065

Open
NolanDon opened this issue Sep 22, 2022 · 2 comments
Open

Vulnerability #1065

NolanDon opened this issue Sep 22, 2022 · 2 comments
Labels
bug Indicates an unexpected problem or unintended behavior dontclose Prevents the stale bot from closing this issue/pr

Comments

@NolanDon
Copy link

Describe the bug

A clear and concise description of what the bug is.

Introduced through : com.github.triplet.gradle:play-publisher@3.7.0
Fixed in: com.google.oauth-client:google-oauth-client@1.33.3

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the IdTokenVerifier method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload.

How To Reproduce

Versions

play-publisher@3.7.0

  • Gradle Play Publisher:
  • Gradle Wrapper:
  • Android Gradle Plugin:

Tasks executed

What tasks did you run? For example, publishBundle.

publishReleaseBundle

Expected behavior

A clear and concise description of what you expected to happen.

Additional context (if a crash, provide stack trace)

Add any other context about the problem here. If this bug is a crash, run the task with
--stacktrace to get the full context.
@NolanDon NolanDon added the bug Indicates an unexpected problem or unintended behavior label Sep 22, 2022
@SUPERCILEX
Copy link
Collaborator

I'm not actively maintaining this repo anymore, but PRs are welcome.

@github-actions
Copy link

github-actions bot commented Oct 1, 2022

This issue has been automatically marked as stale because it has not had recent
activity. It will be closed if no further activity occurs. Thank you for your
contributions.

@github-actions github-actions bot added the waiting-for-reply Indicates that an issue or pull request needs more information label Oct 1, 2022
@SUPERCILEX SUPERCILEX added the dontclose Prevents the stale bot from closing this issue/pr label Oct 1, 2022
@github-actions github-actions bot removed the waiting-for-reply Indicates that an issue or pull request needs more information label Oct 2, 2022
@SUPERCILEX SUPERCILEX mentioned this issue Jan 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior dontclose Prevents the stale bot from closing this issue/pr
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SUPERCILEX @NolanDon