2012-06-13 Instructure Advisory IAC87646 - Rails SQL Injection Vulnerability
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
SECURITY UPDATE |
Release Date: | 2012-06-13 (Last update can be found below the document title) |
Description: | SQL Injection Attack in Rails Library |
Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
Impact: |
|
Systems Affected: | Canvas LMS |
Solution Status: | Patched |
Discovered By: | - |
Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/6ade80562cd3cbfa804a7ebb06417c5b92c902cf |
Summary:
A SQL Injection Vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
More information is available at http://seclists.org/oss-sec/2012/q2/504 .
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.