Skip to content

Validation bypass vulnerability

Moderate
Johannestegner published GHSA-hrr3-xjv7-xmfw Apr 25, 2023

Package

maven personnummer (Maven)

Affected versions

<3.4.1

Patched versions

3.4.1

Description

A vulnerability report was submitted with information that the date control in the parse function of the package allows February 29 on non-leap years.
This happens due to the usage of the DateTimeFormatter class rather than the LocalDate class.

A patch have been done to use the LocalDate class during parsing.

Impact

This vulnerability impacts most users relying on the validation of the social security numbers.

Patches

The vulnerability have been patched in version 3.4.1 of the personnummer java package.

Workarounds

A possible workaround could be to parse the date before sending it into the personnummer parse/constructor, although, exceptions might be thrown when accessing any get-function in the package.
Recommended action is to update to latest patch version of the package.

References

#92


For more information

If you have any questions or comments about this advisory:

Open an issue in Personnummer Meta
Email us at Personnummer Email

Credits

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs

Credits