CVE-2016-3169: Saving user accounts can sometimes grant the user all roles

April 12, 2016 (updated April 13, 2016)

The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

References

nvd.nist.gov/vuln/detail/CVE-2016-3169
www.drupal.org/SA-CORE-2016-001

Code Behaviors & Features

Detect and mitigate CVE-2016-3169 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →