I wanted to fix CVE-2020-7692 reported in com.google.apis:google-api-services-drive:v2-rev362-1.25.0 this CVE is coming from com.google.oauth-client_google-oauth-client. Would it be fine if i only upgrade the oauth-client library like following.
implementation ('com.google.apis:google-api-services-drive:v2-rev362-1.25.0') { exclude group: 'com.google.oauth-client', module: 'google-oauth-client' } implementation 'com.google.oauth-client:google-oauth-client:1.33.3'
I wanted to know is it safe to fix CVE via only upgrading google-oauth-client library.
This CVE can also be fixed with upgrading google-api-services-drive to version v3 but this requires lot of changes at backend service. due to deprecation of classes, methods which were earlier present in version v2.
What you can do is search for the vulnerability on NIST.
https://nvd.nist.gov/vuln/detail/CVE-2020-7692
The description states
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
The text states that vulnerable versions are before 1.31.0, which means the version you're using, 1.33.3, is not affected anymore