Improper Input Validation Affecting personnummer package, versions <3.0.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-PERSONNUMMER-3030045
  • published 22 Sep 2022
  • disclosed 21 Sep 2022
  • credit Niklas Sköldmark

Introduced: 21 Sep 2022

CVE NOT AVAILABLE CWE-20 Open this link in a new tab

How to fix?

Upgrade personnummer to version 3.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Improper Input Validation via the regular expression allowing the first three digits in the last four digits of the personnummer to be 000, which is invalid. It is exploitable when the user relies on the four last digits of the personnummer to be a _real_ personnummer.

Workarounds

If upgrading to the fixed version is not possible, a check on the last four digits can be made to make sure it's not 000x.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None