From 01f712476bf35ab67eb643cf627f5e0fa17bf560 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Fri, 22 Mar 2024 14:04:15 +0000
Subject: [PATCH] Add change note and update severity

---
 ruby/ql/src/change-notes/2024-03-22-mass-assignment.md | 4 ++++
 ruby/ql/src/queries/security/cwe-915/MassAssignment.ql | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 ruby/ql/src/change-notes/2024-03-22-mass-assignment.md

diff --git a/ruby/ql/src/change-notes/2024-03-22-mass-assignment.md b/ruby/ql/src/change-notes/2024-03-22-mass-assignment.md
new file mode 100644
index 000000000000..3f8743a30796
--- /dev/null
+++ b/ruby/ql/src/change-notes/2024-03-22-mass-assignment.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `ruby/insecure-mass-assignment`, for finding instances of mass assignment operations accepting arbitrary parameters from remote user input.
\ No newline at end of file
diff --git a/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql b/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
index 8803aad745a8..a1c79cfce1e9 100644
--- a/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
+++ b/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
@@ -3,7 +3,7 @@
  * @description Using mass assignment with user-controlled attributes allows unintended parameters to be set.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 7.5
+ * @security-severity 9.8
  * @precision high
  * @id ruby/insecure-mass-assignment
  * @tags security