cvedb.io
CVE-2022-35956
MEDIUM · CVSS 5.8
EPSS exploitation probability: 0%
Published 2022-08-12T21:15:08.113 · Last modified 2026-06-17T04:52:35.877

Summary

This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses `Arel` instead to construct the resulting sql statement, with sanitized sql.

Affected products

update_by_case_project — update_by_case

Does this affect you?

Add your gear to cvedb and we'll alert you only when update_by_case_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.