CVE-2019-13146 - Vulnerability Details - OpenCVE

The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00257.

Key SSVC decision points have not yet been added.

Vendors	Products
Field Test Project	Field Test

Configuration 1 [-]

cpe:2.3:a:field_test_project:field_test:0.3.0:*:*:*:*:ruby:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2019-0607	field_test gem contains injection vulnerability
Github GHSA	GHSA-wg9m-gw3h-hg83	field_test gem contains injection vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/109114
https://github.com/ankane/field_test/issues/17
https://rubygems.org/gems/field_test

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-09T17:58:40

Updated: 2024-08-04T23:41:10.482Z

Reserved: 2019-07-01T00:00:00

Link: CVE-2019-13146

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-09T18:15:11.513

Modified: 2024-11-21T04:24:17.373

Link: CVE-2019-13146

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-11T12:06:06", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://rubygems.org/gems/field_test"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ankane/field_test/issues/17"}, {"name": "109114", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109114"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13146", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://rubygems.org/gems/field_test", "refsource": "MISC", "url": "https://rubygems.org/gems/field_test"}, {"name": "https://github.com/ankane/field_test/issues/17", "refsource": "MISC", "url": "https://github.com/ankane/field_test/issues/17"}, {"name": "109114", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109114"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:41:10.482Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rubygems.org/gems/field_test"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ankane/field_test/issues/17"}, {"name": "109114", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109114"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13146", "datePublished": "2019-07-09T17:58:40", "dateReserved": "2019-07-01T00:00:00", "dateUpdated": "2024-08-04T23:41:10.482Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:field_test_project:field_test:0.3.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "9B5B13A5-62A8-41DA-A979-BA3AC2A9B49F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS)."}, {"lang": "es", "value": "La gema field_test versi\u00f3n 0.3.0 para Ruby, presenta una entrada no v\u00e1lida. Una llamada de m\u00e9todo que se espera que devuelva un valor de un determinado conjunto de entradas puede hacer devolver cualquier entrada, lo que puede ser peligroso dependiendo de c\u00f3mo las aplicaciones lo usen. Si una aplicaci\u00f3n considera que las variantes arbitrarias son de confianza, esto puede conllevar a una variedad de vulnerabilidades potenciales, tales como la inyecci\u00f3n SQL o una de tipo cross-site scripting (XSS)."}], "id": "CVE-2019-13146", "lastModified": "2024-11-21T04:24:17.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-09T18:15:11.513", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/109114"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ankane/field_test/issues/17"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://rubygems.org/gems/field_test"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/109114"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ankane/field_test/issues/17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://rubygems.org/gems/field_test"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}