First published: Fri Aug 12 2022(Updated: )
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses `Arel` instead to construct the resulting sql statement, with sanitized sql.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Update By Case Project Update By Case | <0.1.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The CVE ID is CVE-2022-35956.
The severity of CVE-2022-35956 is critical with a severity value of 9.8.
CVE-2022-35956 is a vulnerability in the Update By Case gem for Ruby on Rails, which allows SQL injection when using version 0.1.3.
CVE-2022-35956 affects the Update By Case gem for Ruby on Rails version 0.1.3.
To fix CVE-2022-35956, upgrade to a version of the Update By Case gem that is higher than 0.1.3.