{"url":"http://public2.vulnerablecode.io/api/packages/463284?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-alpha","type":"maven","namespace":"com.google.oauth-client","name":"google-oauth-client","version":"1.5.0-alpha","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.33.3","latest_non_vulnerable_version":"1.33.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208282?format=json","vulnerability_id":"VCID-1tna-9vdx-tbg5","summary":"The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22573.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22573.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22573","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17791","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17631","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17781","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17807","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22573"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/commit/c634ad4e31cac322bb1aa8a9feb0569749011bf0"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/pull/872","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/pull/872"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657","reference_id":"1010657","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2081879","reference_id":"2081879","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2081879"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22573","reference_id":"CVE-2021-22573","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22573"},{"reference_url":"https://github.com/advisories/GHSA-hw42-3568-wj87","reference_id":"GHSA-hw42-3568-wj87","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hw42-3568-wj87"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87","reference_id":"GHSA-hw42-3568-wj87","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4932","reference_id":"RHSA-2022:4932","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4932"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5030","reference_id":"RHSA-2022:5030","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5030"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7177","reference_id":"RHSA-2022:7177","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7177"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20737?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.33.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.33.3"}],"aliases":["CVE-2021-22573","GHSA-hw42-3568-wj87"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1tna-9vdx-tbg5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208087?format=json","vulnerability_id":"VCID-24zg-76th-b7a9","summary":"PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7692.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7692.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7692","reference_id":"","reference_type":"","scores":[{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25684","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25884","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25901","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25883","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7692"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7692","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7692"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824"},{"reference_url":"https://github.com/googleapis/google-oauth-java-client/issues/469","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/googleapis/google-oauth-java-client/issues/469"},{"reference_url":"https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7692","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7692"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276"},{"reference_url":"https://tools.ietf.org/html/rfc7636%23section-1","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tools.ietf.org/html/rfc7636%23section-1"},{"reference_url":"https://tools.ietf.org/html/rfc8252%23section-8.1","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tools.ietf.org/html/rfc8252%23section-8.1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1856376","reference_id":"1856376","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1856376"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944","reference_id":"988944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944"},{"reference_url":"https://github.com/advisories/GHSA-f263-c949-w85g","reference_id":"GHSA-f263-c949-w85g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f263-c949-w85g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0560","reference_id":"RHSA-2023:0560","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0560"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0777","reference_id":"RHSA-2023:0777","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0777"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3299","reference_id":"RHSA-2023:3299","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3299"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6172","reference_id":"RHSA-2023:6172","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6172"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0778","reference_id":"RHSA-2024:0778","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0778"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382546?format=json","purl":"pkg:maven/com.google.oauth-client/google-oauth-client@1.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1tna-9vdx-tbg5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.31.0"}],"aliases":["CVE-2020-7692","GHSA-f263-c949-w85g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-24zg-76th-b7a9"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.google.oauth-client/google-oauth-client@1.5.0-alpha"}