2013-01-14 Instructure Advisory IAC39258 - Rails JSON Parsing Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2013-01-14  (Last update can be found below the document title)
  Description:SQL Query Modification Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:-
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/784d9bce6dd627364cf2a8156d64128ceb0fad67


 

Summary:

A JSON parameter parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. No attack vector against Canvas is verified, but Canvas CV users are still encouraged to update immediately. Further information is available at

https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.

 

 


Attachments

    Outcomes