Lucene search

Veracode Vulnerability DatabaseVERACODE:36688

HistoryAug 12, 2022 - 5:40 a.m.

SQL Injection

2022-08-1205:40:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

31.3%

JSON

update_by_case is vulnerable to sql injection. The vulnerability exists in the update_by_case! function in update_by_case.rb as it calls some functions in utils.rb that use custom sql strings which are not properly sanitized, which allows an attacker to inject and execute arbitrary SQL commands.

CPENameOperatorVersion
update_by_casele0.1.2
update_by_casele0.1.2

CPE	Name	Operator	Version
	update_by_case	le	0.1.2
	update_by_case	le	0.1.2

References

github.com/advisories/GHSA-33wh-w4m7-c6r8

github.com/camilova/activerecord-update-by-case/commit/a10eb9e5811809d4b4d6f182716c8abb938a25fc

github.com/camilova/activerecord-update-by-case/releases/tag/v0.1.3-stable

github.com/camilova/activerecord-update-by-case/security/advisories/GHSA-33wh-w4m7-c6r8

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

31.3%

JSON

Related for VERACODE:36688