CVE-2019-13146 - OpenCVE

The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Field Test Project	Field Test

Configuration 1 [-]

cpe:2.3:a:field_test_project:field_test:0.3.0:*:*:*:*:ruby:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/109114
https://github.com/ankane/field_test/issues/17
https://rubygems.org/gems/field_test

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-09T17:58:40

Updated: 2024-08-04T23:41:10.482Z

Reserved: 2019-07-01T00:00:00

Link: CVE-2019-13146

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-09T18:15:11.513

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-13146

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-11T12:06:06", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://rubygems.org/gems/field_test"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ankane/field_test/issues/17"}, {"name": "109114", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109114"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13146", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://rubygems.org/gems/field_test", "refsource": "MISC", "url": "https://rubygems.org/gems/field_test"}, {"name": "https://github.com/ankane/field_test/issues/17", "refsource": "MISC", "url": "https://github.com/ankane/field_test/issues/17"}, {"name": "109114", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109114"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:41:10.482Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rubygems.org/gems/field_test"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ankane/field_test/issues/17"}, {"name": "109114", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109114"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13146", "datePublished": "2019-07-09T17:58:40", "dateReserved": "2019-07-01T00:00:00", "dateUpdated": "2024-08-04T23:41:10.482Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:field_test_project:field_test:0.3.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "9B5B13A5-62A8-41DA-A979-BA3AC2A9B49F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS)."}, {"lang": "es", "value": "La gema field_test versi\u00f3n 0.3.0 para Ruby, presenta una entrada no v\u00e1lida. Una llamada de m\u00e9todo que se espera que devuelva un valor de un determinado conjunto de entradas puede hacer devolver cualquier entrada, lo que puede ser peligroso dependiendo de c\u00f3mo las aplicaciones lo usen. Si una aplicaci\u00f3n considera que las variantes arbitrarias son de confianza, esto puede conllevar a una variedad de vulnerabilidades potenciales, tales como la inyecci\u00f3n SQL o una de tipo cross-site scripting (XSS)."}], "id": "CVE-2019-13146", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-09T18:15:11.513", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/109114"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ankane/field_test/issues/17"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://rubygems.org/gems/field_test"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}