Improper Input Validation Affecting personnummer package, versions <3.0.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-PERSONNUMMER-3030045
- published 22 Sep 2022
- disclosed 21 Sep 2022
- credit Niklas Sköldmark
How to fix?
Upgrade personnummer
to version 3.0.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Input Validation via the regular expression allowing the first three digits in the last four digits of the personnummer
to be
000
, which is invalid. It is exploitable when the user relies on the four last digits of the personnummer to be a _real_ personnummer
.
Workarounds
If upgrading to the fixed version is not possible, a check on the last four digits can be made to make sure it's not
000x
.
CVSS Scores
version 3.1