|Release Date:||2012-06-13 (Last update can be found below the document title)|
|Description:||SQL Injection Attack in Rails Library|
|Criticality Level:||Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
|Systems Affected:||Canvas LMS|
A SQL Injection Vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
More information is available at http://seclists.org/oss-sec/2012/q2/504 .
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.