GHSA-28r9-pq4c-wp3c: 
Rust vulnerability analysis and mitigation

The personnummer Rust crate, which handles Swedish personal identity numbers, contained a vulnerability related to improper input validation (GHSA-28r9-pq4c-wp3c). The issue was discovered in June 2020 and publicly disclosed on September 4, 2020. The vulnerability affected versions prior to 3.0.1 of the personnummer Rust package. This security issue was classified as low severity and involved the validation of Swedish personal identity numbers in the format YYMMDD-XXXX (GitHub Advisory, RustSec Advisory).

The vulnerability stemmed from a regular expression implementation that incorrectly allowed the first three digits in the last four digits of the personnummer to be '000', which is invalid for Swedish personal identity numbers. The issue was specifically related to the validation logic that failed to properly check these digits, potentially allowing invalid personal identity numbers to be processed as valid (RustSec Advisory).

This vulnerability impacted users who relied on the validation of the last four digits of personnummer to ensure they represented a real Swedish personal identity number. The impact was considered low severity due to the specific nature of the validation bypass (GitHub Advisory).

The issue was patched in version 3.0.1 of the personnummer Rust crate. For users unable to upgrade immediately, a workaround was provided to implement an additional check ensuring the last four digits are not in the format '000x'. The fix involved adding validation to ensure the serial number is greater than 0 (GitHub PR, GitHub Advisory).