CVE-2022-35956

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-35956

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35956.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-35956

Aliases

GHSA-33wh-w4m7-c6r8

Published

2022-08-12T20:50:08Z

Modified

2025-11-28T04:44:51.474544Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

update_by_case before 0.1.3 vulnerable to sql injection

Details

This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 update_by_case gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses Arel instead to construct the resulting sql statement, with sanitized sql.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35956.json"
}

References

Affected packages

Git / github.com/camilova/activerecord-update-by-case

Affected ranges

Type: GIT
Repo: https://github.com/camilova/activerecord-update-by-case
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

31c44b7837537121cc43cb2f896954fe115d1d06

Affected versions

v0.*

v0.1.2-stable

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35956.json"