CVE-2022-35956: SQL Injection
First published: Fri Aug 12 2022(Updated: )
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses `Arel` instead to construct the resulting sql statement, with sanitized sql.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Update By Case Project Update By Case | <0.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the CVE ID?
The CVE ID is CVE-2022-35956.
What is the severity of CVE-2022-35956?
The severity of CVE-2022-35956 is critical with a severity value of 9.8.
What is the vulnerability description of CVE-2022-35956?
CVE-2022-35956 is a vulnerability in the Update By Case gem for Ruby on Rails, which allows SQL injection when using version 0.1.3.
How does CVE-2022-35956 affect the software?
CVE-2022-35956 affects the Update By Case gem for Ruby on Rails version 0.1.3.
How can I fix CVE-2022-35956?
To fix CVE-2022-35956, upgrade to a version of the Update By Case gem that is higher than 0.1.3.
- collector/nvd-index
- vendor/update by case project
- canonical/update by case project update by case