{"id":"CVE-2020-7692","details":"PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.","aliases":["GHSA-f263-c949-w85g","SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276"],"modified":"2026-05-11T12:12:21.909579Z","published":"2020-07-09T14:15:11.107Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/googleapis/google-oauth-java-client/issues/469"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276"},{"type":"FIX","url":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824"},{"type":"EVIDENCE","url":"https://tools.ietf.org/html/rfc7636%23section-1"},{"type":"EVIDENCE","url":"https://tools.ietf.org/html/rfc8252%23section-8.1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/googleapis/google-oauth-java-client","events":[{"introduced":"0"},{"fixed":"fa8c6ba33d9066ce5b14aa59f9a2c9972a8e95aa"},{"fixed":"13433cd7dd06267fc261f0b1d4764f8e3432c824"}],"database_specific":{"cpe":"cpe:2.3:a:google:oauth_client_library_for_java:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.31.0"}]}}],"versions":["1.20.0","v1.26.0","v1.26.1","v1.26.2","v1.27.0","v1.28.0","v1.29.0","v1.30.0","v1.30.1","v1.30.2","v1.30.3","v1.30.4","v1.30.5","v1.30.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7692.json","vanir_signatures":[{"id":"CVE-2020-7692-312a1766","source":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","digest":{"threshold":0.9,"line_hashes":["195563140868654700454647182656687804461","169388036470712834053717129206121476157","109592770034162502415730462695258249158","291863875414356063157555982922359620608","63068138136487779005737474085160361347","50838415285640221411339351163380518042","334147503316754085114173595866148615652"]},"signature_version":"v1","target":{"file":"google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java"},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2020-7692-62aba16b","source":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","digest":{"length":222,"function_hash":"223131593159604655242019714547271848587"},"signature_version":"v1","target":{"function":"newTokenRequest","file":"google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"},"deprecated":false,"signature_type":"Function"},{"id":"CVE-2020-7692-9b291978","source":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","digest":{"length":108,"function_hash":"315684269081413273562479151131539123595"},"signature_version":"v1","target":{"function":"newAuthorizationUrl","file":"google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"},"deprecated":false,"signature_type":"Function"},{"id":"CVE-2020-7692-ab49c168","source":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","digest":{"threshold":0.9,"line_hashes":["145335430456887821112504490431376705730","261147572268857067391713032505330178826","94293774407633764589248811084143654443","306974072275319714904189806505890418537","195373273638089622357465714477755683648","143582365626582694549676686879050872316","35982197333432362338450317688754999184","173581750127703286834311549801474529323","239884562957666762204569485738466216823","309523710914867617333226149078252242696","201872806924557608694518849643819840972","280688973922198899502017555733762936651","307465762381002060664264502465180219066","273433781515530988166730953223186571358","326129273024627789809655426940670239893","19613895748115692521623189286359850589","97928050967569763582809617024686264662","285801789393290255661435517446502745310","150182913992717518735757355179557436928","35298681712895664772494572531168873222","62898923587569212777556491651809027556","286636697484369862416115579632077325584","275312682781299837422784013435883871983","236799805590228655493680935517696982743","95864685574760911843012878938628188523","85769186536745394458852846006428141018","64826208090148948681336257263609825961","259361149058338537118295120863203110217","201836131775798738077459676803036726814","51670820479606653270859390089711986567","283799097803102368638721382467890857503","282702642451197961643109867404085240378","95973180580841836180219260816705529118","316030037090075080657817976171308391838","199052163151311440632955172735873134907","226434861442211533957405778374908631488","25759255273023982628680052509980669509","95196179427073871640323263417090152957","127030213333399992345046525016605321567"]},"signature_version":"v1","target":{"file":"google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2020-7692-b143b2ca","source":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","digest":{"threshold":0.9,"line_hashes":["74654163130357013979242689487760334885","278631187825219431990212539675047427175","302426018694034495734396660672966333659","277930600254868260984384435961427673001","312216280064775480619562312168521189158","151101452252056330194188347650644972296"]},"signature_version":"v1","target":{"file":"google-oauth-client/src/test/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlowTest.java"},"deprecated":false,"signature_type":"Line"},{"id":"CVE-2020-7692-c5fbc358","source":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","digest":{"length":905,"function_hash":"53166139971202735839467809529171193462"},"signature_version":"v1","target":{"function":"AuthorizationCodeFlow","file":"google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java"},"deprecated":false,"signature_type":"Function"}],"vanir_signatures_modified":"2026-05-11T12:12:21Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}