Vulnerabilites related to google - oauth_client_library_for_java
cve-2020-7692
Vulnerability from cvelistv5
Published
2020-07-09 13:20
Modified
2024-09-17 03:47
Severity ?
EPSS score ?
Summary
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276 | x_refsource_MISC | |
| https://github.com/googleapis/google-oauth-java-client/issues/469 | x_refsource_MISC | |
| https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824 | x_refsource_MISC | |
| https://tools.ietf.org/html/rfc8252%23section-8.1 | x_refsource_MISC | |
| https://tools.ietf.org/html/rfc7636%23section-1 | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | com.google.oauth-client:google-oauth-client |
Version: unspecified < 1.31.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T09:41:01.522Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/googleapis/google-oauth-java-client/issues/469", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://tools.ietf.org/html/rfc8252%23section-8.1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://tools.ietf.org/html/rfc7636%23section-1", }, { name: "[druid-commits] 20200724 [GitHub] [druid] suneet-s opened a new pull request #10214: Suppress CVE-2020-7692", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20200727 [druid] branch master updated: Suppress CVE-2020-7692 (#10214)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "com.google.oauth-client:google-oauth-client", vendor: "n/a", versions: [ { lessThan: "1.31.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Stefán Freyr Stefánsson", }, ], datePublic: "2020-07-09T00:00:00", descriptions: [ { lang: "en", value: "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Improper Authorization", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-27T19:06:04", orgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", shortName: "snyk", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/googleapis/google-oauth-java-client/issues/469", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824", }, { tags: [ "x_refsource_MISC", ], url: "https://tools.ietf.org/html/rfc8252%23section-8.1", }, { tags: [ "x_refsource_MISC", ], url: "https://tools.ietf.org/html/rfc7636%23section-1", }, { name: "[druid-commits] 20200724 [GitHub] [druid] suneet-s opened a new pull request #10214: Suppress CVE-2020-7692", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20200727 [druid] branch master updated: Suppress CVE-2020-7692 (#10214)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E", }, ], title: "Improper Authorization", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "report@snyk.io", DATE_PUBLIC: "2020-07-09T13:19:17.686190Z", ID: "CVE-2020-7692", STATE: "PUBLIC", TITLE: "Improper Authorization", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "com.google.oauth-client:google-oauth-client", version: { version_data: [ { version_affected: "<", version_value: "1.31.0", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "Stefán Freyr Stefánsson", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Authorization", }, ], }, ], }, references: { reference_data: [ { name: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276", }, { name: "https://github.com/googleapis/google-oauth-java-client/issues/469", refsource: "MISC", url: "https://github.com/googleapis/google-oauth-java-client/issues/469", }, { name: "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824", refsource: "MISC", url: "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824", }, { name: "https://tools.ietf.org/html/rfc8252%23section-8.1", refsource: "MISC", url: "https://tools.ietf.org/html/rfc8252%23section-8.1", }, { name: "https://tools.ietf.org/html/rfc7636%23section-1", refsource: "MISC", url: "https://tools.ietf.org/html/rfc7636%23section-1", }, { name: "[druid-commits] 20200724 [GitHub] [druid] suneet-s opened a new pull request #10214: Suppress CVE-2020-7692", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20200727 [druid] branch master updated: Suppress CVE-2020-7692 (#10214)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", assignerShortName: "snyk", cveId: "CVE-2020-7692", datePublished: "2020-07-09T13:20:16.446467Z", dateReserved: "2020-01-21T00:00:00", dateUpdated: "2024-09-17T03:47:55.563Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-22573
Vulnerability from cvelistv5
Published
2022-05-03 15:45
Modified
2024-08-03 18:44
Severity ?
EPSS score ?
Summary
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/googleapis/google-oauth-java-client/pull/872 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Google LLC | Google-oauth-java-client |
Version: unspecified < 1.33.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:44:13.756Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/googleapis/google-oauth-java-client/pull/872", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Google-oauth-java-client", vendor: "Google LLC", versions: [ { lessThan: "1.33.2", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-347", description: "CWE-347 Improper Verification of Cryptographic Signature", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-03T15:45:11", orgId: "14ed7db2-1595-443d-9d34-6215bf890778", shortName: "Google", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/googleapis/google-oauth-java-client/pull/872", }, ], source: { discovery: "INTERNAL", }, title: "Incorrect signature verification on Google-oauth-java-client", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@google.com", ID: "CVE-2021-22573", STATE: "PUBLIC", TITLE: "Incorrect signature verification on Google-oauth-java-client", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Google-oauth-java-client", version: { version_data: [ { version_affected: "<", version_value: "1.33.2", }, ], }, }, ], }, vendor_name: "Google LLC", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-347 Improper Verification of Cryptographic Signature", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/googleapis/google-oauth-java-client/pull/872", refsource: "MISC", url: "https://github.com/googleapis/google-oauth-java-client/pull/872", }, ], }, source: { discovery: "INTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "14ed7db2-1595-443d-9d34-6215bf890778", assignerShortName: "Google", cveId: "CVE-2021-22573", datePublished: "2022-05-03T15:45:12", dateReserved: "2021-01-05T00:00:00", dateUpdated: "2024-08-03T18:44:13.756Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2022-05-03 16:15
Modified
2024-11-21 05:50
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve-coordination@google.com | https://github.com/googleapis/google-oauth-java-client/pull/872 | Issue Tracking, Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/googleapis/google-oauth-java-client/pull/872 | Issue Tracking, Patch, Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oauth_client_library_for_java | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:google:oauth_client_library_for_java:*:*:*:*:*:*:*:*", matchCriteriaId: "96AD9B2E-FDD8-4740-B678-7BA34BB27272", versionEndExcluding: "1.33.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above", }, { lang: "es", value: "La vulnerabilidad consiste en que el verificador IDToken no verifica si el token está correctamente firmado. La verificación de la firma asegura que la carga útil del token proviene de un proveedor válido y no de otra persona. Un atacante puede proporcionar un token comprometido con una carga útil personalizada. El token pasará la comprobación en el lado del cliente. Recomendamos actualizar a versión 1.33.3 o superior", }, ], id: "CVE-2021-22573", lastModified: "2024-11-21T05:50:21.313", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 5.8, source: "cve-coordination@google.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-03T16:15:18.700", references: [ { source: "cve-coordination@google.com", tags: [ "Issue Tracking", "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/googleapis/google-oauth-java-client/pull/872", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Release Notes", "Third Party Advisory", ], url: "https://github.com/googleapis/google-oauth-java-client/pull/872", }, ], sourceIdentifier: "cve-coordination@google.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-347", }, ], source: "cve-coordination@google.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-347", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-09 14:15
Modified
2024-11-21 05:37
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oauth_client_library_for_java | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:google:oauth_client_library_for_java:*:*:*:*:*:*:*:*", matchCriteriaId: "5DDA599C-C892-4548-9C70-87191A82F42F", versionEndExcluding: "1.31.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.", }, { lang: "es", value: "Un soporte PKCE no está implementado de acuerdo con el RFC para OAuth versión 2.0 para Native Apps. Sin el uso de PKCE, el código de autorización devuelto por un servidor de autorización no es suficiente para garantizar que el cliente que emitió la petición de autorización inicial sea el que será autorizado. Un atacante puede ser capaz de obtener el código de autorización usando una aplicación maliciosa en el lado del cliente y usarlo para conseguir autorización para el recurso protegido. Esto afecta el paquete com.google.oauth-client:google-oauth-client versiones anteriores a 1.31.0", }, ], id: "CVE-2020-7692", lastModified: "2024-11-21T05:37:37.350", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "report@snyk.io", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-09T14:15:11.107", references: [ { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824", }, { source: "report@snyk.io", tags: [ "Third Party Advisory", ], url: "https://github.com/googleapis/google-oauth-java-client/issues/469", }, { source: "report@snyk.io", url: "https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E", }, { source: "report@snyk.io", url: "https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E", }, { source: "report@snyk.io", tags: [ "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276", }, { source: "report@snyk.io", tags: [ "Exploit", "Third Party Advisory", ], url: "https://tools.ietf.org/html/rfc7636%23section-1", }, { source: "report@snyk.io", tags: [ "Exploit", "Third Party Advisory", ], url: "https://tools.ietf.org/html/rfc8252%23section-8.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/googleapis/google-oauth-java-client/issues/469", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://tools.ietf.org/html/rfc7636%23section-1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://tools.ietf.org/html/rfc8252%23section-8.1", }, ], sourceIdentifier: "report@snyk.io", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }