CVE-2015-3224: Permissive List of Allowed Inputs

July 26, 2015 (updated December 2, 2016)

Specially crafted remote requests can spoof their origin, bypassing the IP allowlist, in any environment where Web Console is enabled (development and test, by default).To work around this issue, turn off web-console in all environments, by removing/commenting it from the application’s Gemfile.

References

groups.google.com/forum/

Detect and mitigate CVE-2015-3224 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →