Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdnOW0tZ3czaC1oZzgz
field_test gem contains injection vulnerability
The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).
Permalink: https://github.com/advisories/GHSA-wg9m-gw3h-hg83JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdnOW0tZ3czaC1oZzgz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-wg9m-gw3h-hg83, CVE-2019-13146
References:
- https://github.com/ankane/field_test/issues/17
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/field_test/CVE-2019-13146.yml
- https://web.archive.org/web/20210115194802/http://www.securityfocus.com/bid/109114
- https://web.archive.org/web/20220526020623/https://nvd.nist.gov/vuln/detail/CVE-2019-13146
- https://github.com/advisories/GHSA-wg9m-gw3h-hg83
Blast Radius: 11.4
Affected Packages
rubygems:field_test
Dependent packages: 0Dependent repositories: 140
Downloads: 1,469,271 total
Affected Version Ranges: = 0.3.0
Fixed in: 0.3.1
All affected versions:
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.7.0