A vulnerability report was submitted with information that the date control in the parse function of the package allows February 29 on non-leap years.
This happens due to the usage of the DateTimeFormatter class rather than the LocalDate class.
A patch have been done to use the LocalDate class during parsing.
Impact
This vulnerability impacts most users relying on the validation of the social security numbers.
Patches
The vulnerability have been patched in version 3.4.1 of the personnummer java package.
Workarounds
A possible workaround could be to parse the date before sending it into the personnummer parse/constructor, although, exceptions might be thrown when accessing any get-function in the package.
Recommended action is to update to latest patch version of the package.
References
#92
For more information
If you have any questions or comments about this advisory:
Open an issue in Personnummer Meta
Email us at Personnummer Email
Credits
A vulnerability report was submitted with information that the date control in the parse function of the package allows February 29 on non-leap years.
This happens due to the usage of the DateTimeFormatter class rather than the LocalDate class.
A patch have been done to use the LocalDate class during parsing.
Impact
This vulnerability impacts most users relying on the validation of the social security numbers.
Patches
The vulnerability have been patched in version 3.4.1 of the personnummer java package.
Workarounds
A possible workaround could be to parse the date before sending it into the personnummer parse/constructor, although, exceptions might be thrown when accessing any get-function in the package.
Recommended action is to update to latest patch version of the package.
References
#92
For more information
If you have any questions or comments about this advisory:
Open an issue in Personnummer Meta
Email us at Personnummer Email
Credits