SCA: security update for com.google.oauth-client:google-oauth-client (GHSA-f263-c949-w85g)

critical Tenable Self-Hosted Container Security Plugin ID 414195

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use
of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the
client that issued the initial authorization request is the one that will be authorized. An attacker is
able to obtain the authorization code using a malicious app on the client-side and use it to gain
authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-
client before 1.31.0. (CVE-2020-7692)

See Also

https://github.com/advisories/GHSA-f263-c949-w85g

Plugin Details

Severity: Critical

ID: 414195

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-7692

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/28/2021

Vulnerability Publication Date: 7/9/2020

Reference Information

CVE: CVE-2020-7692