SB2020070955 - Missing authorization in Google OAuth Client Library for Java
Published: July 9, 2020 Updated: February 8, 2023
Security Bulletin ID
SB2020070955
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect authorization (CVE-ID: CVE-2020-7692)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to missing support for PKCE. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.
Remediation
Install update from vendor's website.
References
- https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
- https://github.com/googleapis/google-oauth-java-client/issues/469
- https://tools.ietf.org/html/rfc8252%23section-8.1
- https://tools.ietf.org/html/rfc7636%23section-1
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
- https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E