CVE-2020-7692

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.

References

Affected packages

Git / github.com/googleapis/google-oauth-java-client

Affected ranges

Type: GIT
Repo: https://github.com/googleapis/google-oauth-java-client
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

13433cd7dd06267fc261f0b1d4764f8e3432c824

Affected versions

1.*

1.20.0

v1.*

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.30.0

v1.30.1

v1.30.2

v1.30.3

v1.30.4

v1.30.5

v1.30.6

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "source": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824",
            "target": {
                "file": "google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "195563140868654700454647182656687804461",
                    "169388036470712834053717129206121476157",
                    "109592770034162502415730462695258249158",
                    "291863875414356063157555982922359620608",
                    "63068138136487779005737474085160361347",
                    "50838415285640221411339351163380518042",
                    "334147503316754085114173595866148615652"
                ]
            },
            "id": "CVE-2020-7692-312a1766",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "source": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824",
            "target": {
                "function": "newTokenRequest",
                "file": "google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"
            },
            "digest": {
                "function_hash": "223131593159604655242019714547271848587",
                "length": 222.0
            },
            "id": "CVE-2020-7692-62aba16b",
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "deprecated": false,
            "source": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824",
            "target": {
                "function": "newAuthorizationUrl",
                "file": "google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"
            },
            "digest": {
                "function_hash": "315684269081413273562479151131539123595",
                "length": 108.0
            },
            "id": "CVE-2020-7692-9b291978",
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "deprecated": false,
            "source": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824",
            "target": {
                "file": "google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "145335430456887821112504490431376705730",
                    "261147572268857067391713032505330178826",
                    "94293774407633764589248811084143654443",
                    "306974072275319714904189806505890418537",
                    "195373273638089622357465714477755683648",
                    "143582365626582694549676686879050872316",
                    "35982197333432362338450317688754999184",
                    "173581750127703286834311549801474529323",
                    "239884562957666762204569485738466216823",
                    "309523710914867617333226149078252242696",
                    "201872806924557608694518849643819840972",
                    "280688973922198899502017555733762936651",
                    "307465762381002060664264502465180219066",
                    "273433781515530988166730953223186571358",
                    "326129273024627789809655426940670239893",
                    "19613895748115692521623189286359850589",
                    "97928050967569763582809617024686264662",
                    "285801789393290255661435517446502745310",
                    "150182913992717518735757355179557436928",
                    "35298681712895664772494572531168873222",
                    "62898923587569212777556491651809027556",
                    "286636697484369862416115579632077325584",
                    "275312682781299837422784013435883871983",
                    "236799805590228655493680935517696982743",
                    "95864685574760911843012878938628188523",
                    "85769186536745394458852846006428141018",
                    "64826208090148948681336257263609825961",
                    "259361149058338537118295120863203110217",
                    "201836131775798738077459676803036726814",
                    "51670820479606653270859390089711986567",
                    "283799097803102368638721382467890857503",
                    "282702642451197961643109867404085240378",
                    "95973180580841836180219260816705529118",
                    "316030037090075080657817976171308391838",
                    "199052163151311440632955172735873134907",
                    "226434861442211533957405778374908631488",
                    "25759255273023982628680052509980669509",
                    "95196179427073871640323263417090152957",
                    "127030213333399992345046525016605321567"
                ]
            },
            "id": "CVE-2020-7692-ab49c168",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "source": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824",
            "target": {
                "file": "google-oauth-client/src/test/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlowTest.java"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "74654163130357013979242689487760334885",
                    "278631187825219431990212539675047427175",
                    "302426018694034495734396660672966333659",
                    "277930600254868260984384435961427673001",
                    "312216280064775480619562312168521189158",
                    "151101452252056330194188347650644972296"
                ]
            },
            "id": "CVE-2020-7692-b143b2ca",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "source": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824",
            "target": {
                "function": "AuthorizationCodeFlow",
                "file": "google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"
            },
            "digest": {
                "function_hash": "53166139971202735839467809529171193462",
                "length": 905.0
            },
            "id": "CVE-2020-7692-c5fbc358",
            "signature_version": "v1",
            "signature_type": "Function"
        }
    ]
}