2012-11-26 Instructure Advisory IAC41628 - XML Parsing Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2012-11-26  (Last update can be found below the document title)
  Description:XML Parsing Vulnerability
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  • Potential for attacker to view sensitive system information
  Systems Affected:Canvas LMS
  Solution Status:Patched in Canvas Cloud
  Discovered By:Securus Global
  Relevant Changesets:

Canvas: N/A

libxml2: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f



An XML parsing vulnerability was discovered in libxml, the underlying library that Canvas uses for parsing incoming XML (through the Nokogiri Ruby gem). This vulnerability could allow an attacker to view sensitive system information on the application servers.


Because the bug is in libxml, there is no relevant change in Canvas itself. Users of Canvas CV are encouraged to either upgrade to libxml 2.9 or above, or apply the patch listed above manually and build new libxml packages.