2013-01-08 Instructure Advisory IAC94807 - Rails XML Parsing Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by scottd@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2013-01-08  (Last update can be found below the document title)
  Description:Code Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation
  • Arbitrary code execution
  • Denial of Service
  Systems Affected: Canvas LMS
  Solution Status:Patch
  Relevant Changesets:

disable XML params parser · instructure/canvas-lms@0e0190f · GitHub 



An XML parameter parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Canvas does not use XML parameter parsing, but is still vulnerable without the fix applied. Further information is available at https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/...




Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.