2014-03-11 Instructure Advisory IAC56688 - Arbitrary Enrollment Deletion

Document created by jordan@instructure.com on Sep 22, 2015Last modified by jordan@instructure.com on Sep 22, 2015
Version 3Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-03-11  (Last update can be found below the document title)
  Description:

Arbitrary Enrollment Deletion

  Criticality Level:

Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )

  Impact:

Restricted Privilege Escalation

Manipulation of Sensitive Data

  Systems Affected:

Canvas LMS

  Solution Status:Patched
  Discovered By:

Shea Silverman and Brandon Stull

  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a1b5d8ab1298d8aa03f8312cbb50d24a6a66dd6e


 

Summary:

A bug in permissions checking could allow a malicious user to mark enrollments as deleted in a course that they wouldn't normally have access to do so in. No data would be permanently lost, as the enrollment was only soft deleted and could be restored.

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.

 


Attachments

    Outcomes