com.google.oauth-client:google-oauth-client 1.5.0-alpha vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.google.oauth-client:google-oauth-client package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Verification of Cryptographic Signature com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the `IdTokenVerifier` method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload. How to fix Improper Verification of Cryptographic Signature? Upgrade `com.google.oauth-client:google-oauth-client` to version 1.33.3 or higher.	[,1.33.3)
H Improper Authorization com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards. Affected versions of this package are vulnerable to Improper Authorization. PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. How to fix Improper Authorization? Upgrade `com.google.oauth-client:google-oauth-client` to version 1.31.0 or higher.	[,1.31.0)

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the IdTokenVerifier method, due to missing signature verification of the ID Token. Exploiting this vulnerability makes it possible for the attacker to provide a compromised token with a custom payload.

How to fix Improper Verification of Cryptographic Signature?

Upgrade com.google.oauth-client:google-oauth-client to version 1.33.3 or higher.

[,1.33.3)

Improper Authorization

com.google.oauth-client:google-oauth-client is a powerful and easy-to-use Java library for the OAuth 1.0a and OAuth 2.0 authorization standards.

Affected versions of this package are vulnerable to Improper Authorization. PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.

How to fix Improper Authorization?

Upgrade com.google.oauth-client:google-oauth-client to version 1.31.0 or higher.

[,1.31.0)

com.google.oauth-client:google-oauth-client@1.5.0-alpha vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?