2013-01-03 Instructure Advisory IAC56413 - Rails SQL Injection Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by biray@instructure.com on Sep 22, 2015
Version 3Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2013-01-03  (Last update can be found below the document title)
  Description:SQL Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:-
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/2a1ca6c06065fdb2b048add069a8d2edd64f035f


 

Summary:

A SQL Injection Vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. No working exploit against Canvas is known, but users of Canvas CV are still encouraged to apply the patch immediately.

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.

 

CVE: CVE-2012-5664

 

 


Attachments

    Outcomes