search

Triple-T / gradle-play-publisher

GPP is Android's unofficial release automation Gradle Plugin. It can do anything from building, uploading, and then promoting your App Bundle or APK to publishing app listings and other metadata.
MIT License
4.1k stars 339 forks source link

Vulnerability #1065

Open NolanDon opened 1 year ago

NolanDon commented 1 year ago

Describe the bug

A clear and concise description of what the bug is.

Introduced through : com.github.triplet.gradle:play-publisher@3.7.0 Fixed in: com.google.oauth-client:google-oauth-client@1.33.3

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the IdTokenVerifier method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload.

How To Reproduce

Versions

play-publisher@3.7.0

Tasks executed

What tasks did you run? For example, publishBundle.

publishReleaseBundle

Expected behavior

A clear and concise description of what you expected to happen.

Additional context (if a crash, provide stack trace)

Add any other context about the problem here. If this bug is a crash, run the task with --stacktrace to get the full context.

SUPERCILEX commented 1 year ago

I'm not actively maintaining this repo anymore, but PRs are welcome.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.