CVE-2020-7692
Authorization Bypass vulnerability in google-oauth-client (Maven)
What is CVE-2020-7692 About?
This vulnerability is an Authorization Bypass in `com.google.oauth-client:google-oauth-client` due to improper implementation of PKCE during OAuth 2.0. It allows attackers to gain unauthorized authorization to protected resources. Exploitation requires a malicious app on the client-side and is of moderate difficulty.
Affected Software
Technical Details
The vulnerability arises from the com.google.oauth-client:google-oauth-client library failing to fully implement the Proof Key for Code Exchange (PKCE) specification for OAuth 2.0 for Native Apps. PKCE is designed to mitigate authorization code interception attacks by requiring the client to prove ownership of the code_verifier used to request the code_challenge. Without proper PKCE implementation, the authorization code returned by the authorization server is not sufficiently tied to the original client request. An attacker can, using a malicious application on the client-side, intercept and obtain the authorization code. This code can then be used by the attacker's application to request an access token from the authorization server, effectively bypassing the intended client authorization and gaining access to protected resources.
What is the Impact of CVE-2020-7692?
Successful exploitation may allow attackers to gain unauthorized access to protected resources, modify or delete critical data, and compromise data integrity and confidentiality.
What is the Exploitability of CVE-2020-7692?
Exploitation requires a malicious application on the client-side capable of intercepting the authorization code. It does not require direct authentication or high privileges on the server-side, but it does rely on human interaction from a user running the malicious client application. The attack is local to the user's device. While the attacker can be remote, the initial vector is via a local malicious app. The complexity is moderate, as it involves crafting a malicious app and relies on certain conditions such as the client making an OAuth request without proper PKCE validation at the authorization server for native apps. The likelihood of exploitation increases if users are prone to installing untrusted applications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7692?
Available Upgrade Options
- com.google.oauth-client:google-oauth-client
- <1.31.0 → Upgrade to 1.31.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-f263-c949-w85g
- https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E
- https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
- https://nvd.nist.gov/vuln/detail/CVE-2020-7692
- https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E
- https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
- https://github.com/googleapis/google-oauth-java-client/issues/469
- https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E
- https://github.com/googleapis/google-oauth-java-client/issues/469
- https://tools.ietf.org/html/rfc7636%23section-1
What are Similar Vulnerabilities to CVE-2020-7692?
Similar Vulnerabilities: CVE-2020-10978 , CVE-2021-39148 , CVE-2022-42969 , CVE-2023-38035 , CVE-2023-28434
