com.google.oauth-client:google-oauth-client@1.12.0-beta vulnerabilities

latest version

1.35.0
latest non vulnerable version

1.35.0
first published

13 years ago
latest version published

3 months ago
licenses detected
- Apache-2.0
  [1.5.0-alpha,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.google.oauth-client:google-oauth-client package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Improper Verification of Cryptographic Signature com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the `IdTokenVerifier` method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload. How to fix Improper Verification of Cryptographic Signature? Upgrade `com.google.oauth-client:google-oauth-client` to version 1.33.3 or higher.	[,1.33.3)
H Improper Authorization com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. Affected versions of this package are vulnerable to Improper Authorization. PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. How to fix Improper Authorization? Upgrade `com.google.oauth-client:google-oauth-client` to version 1.31.0 or higher.	[,1.31.0)

Improper Verification of Cryptographic Signature

com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the IdTokenVerifier method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload.

How to fix Improper Verification of Cryptographic Signature?

Upgrade com.google.oauth-client:google-oauth-client to version 1.33.3 or higher.

[,1.33.3)

Improper Authorization

com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards.

Affected versions of this package are vulnerable to Improper Authorization. PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.

How to fix Improper Authorization?

Upgrade com.google.oauth-client:google-oauth-client to version 1.31.0 or higher.

[,1.31.0)

Go back to all versions of this package

com.google.oauth-client:google-oauth-client@1.12.0-beta vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities