漏洞信息详情
Google google-oauth-client 安全漏洞
- CNNVD编号:CNNVD-202007-408 <!--
- 危害等级: 超危-->
- 危害等级: 超危
- CVE编号: CVE-2020-7692
- 漏洞类型: 其他
- 发布时间: 2020-07-09
- 威胁类型: 远程
- 更新时间: 2021-03-08
- 厂 商:
- 漏洞来源:
-
漏洞简介
Google google-oauth-java-client(Google OAuth Client Library for Java)是美国谷歌(Google)公司的一款基于Java的Google OAuth(开放授权)客户端库。
Google com.google.oauth-client:google-oauth-client 1.31.0之前版本中存在安全漏洞。攻击者可借助恶意应用程序利用该漏洞获取授权码,从而获取授权,访问受保护的资源。
漏洞公告
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
参考网址
来源:MISC
链接:https://tools.ietf.org/html/rfc8252%23section-8.1
来源:MISC
链接:https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
来源:MLIST
链接:https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E
来源:MISC
链接:https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
来源:MISC
链接:https://tools.ietf.org/html/rfc7636%23section-1
来源:MLIST
链接:https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E
来源:MISC
链接:https://github.com/googleapis/google-oauth-java-client/issues/469
来源:www.ibm.com
链接:https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-javaenv2-2-to-address-gradle-oauth-authentication-concerns/
来源:www.ibm.com
链接:https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used-by-ibm-qradar-siem-is-vulnerable-to-authorization-bypass-cve-2020-7692/
来源:vigilance.fr
链接:https://vigilance.fr/vulnerability/com-google-oauth-client-privilege-escalation-via-Unimplemented-PKCE-34711
来源:www.ibm.com
链接:https://www.ibm.com/blogs/psirt/security-bulletin-google-api-client-as-used-by-ibm-qradar-siem-is-vulnerable-to-authorization-bypass-cve-2020-7692-2/
来源:nvd.nist.gov
链接:https://nvd.nist.gov/vuln/detail/CVE-2020-7692
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2021.0809
受影响实体
暂无
补丁
- Google google-oauth-client 安全漏洞的修复措施<!--2020-7-9-->
还没有评论,来说两句吧...