2014-05-08 Instructure Advisory IAC27818 - SQL Sanitization Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by biray@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-05-08  (Last update can be found below the document title)
  Description:SQL Sanitization Vulnerability
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation

Authentication Level: Logged in Canvas admins and instructors

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Instructure Internal Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/1f231d1369a4fbfeac4211524210b87d6e1a669a

 


 

Summary:

A security audit has identified a SQL injection attack vector in the course import functionality, available to account admins and instructors.

 

Status:

A fix has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.

 

 


Attachments

    Outcomes