2013-01-28 Instructure Advisory IAC52500 - Rails JSON Parsing Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by jordan@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2013-01-28  (Last update can be found below the document title)
  Description:Code Injection Attack in Rails Library
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Manipulation of data

Exposure of sensitive information

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:N/A
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/90378ae9b51b8acf0be690bca61f5f1454f3e0fe


 

Summary:

A JSON parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Further information is available at https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.

 

CVE:

CVE-2013-0333

 


Attachments

    Outcomes