2014-05-01 Instructure Advisory IAC93442 - User Login Creation

Document created by jordan@instructure.com on Sep 22, 2015Last modified by scottd@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2014-05-01  (Last update can be found below the document title)
  Description:Cross Account Login Creation
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

fix permission checks around pseudonym creation · instructure/canvas-lms@19d4d95 · GitHub 



A bug in permissions checking could allow a malicious user to create logins in accounts that they wouldn't normally be allowed to. This could allow access to basic account information, depending on authentication settings.



Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.