CVE-2016-6317: Improper Access Control

September 7, 2016 (updated August 8, 2019)

The Rails gem does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request.

References

nvd.nist.gov/vuln/detail/CVE-2016-6317

Code Behaviors & Features

Detect and mitigate CVE-2016-6317 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →