2014-06-27 Instructure Advisory IAC00722 - SAML Ruby gem vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by biray@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2014-06-27  (Last update can be found below the document title)
  Description:Vulnerability in Ruby's implementation of SAML
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  • Possible information leakage and/or unauthorized access
  Systems Affected:CanvasLMS
  Solution Status:Patched
  Discovered By:Vladislav Mladenov, Christian Mainka, Florian Feldmann and Julian Krautwald Horst Görtz Institute for IT-Security,http://www.nds.rub.de/chair/news/RelevantChangesetshttps://github.com/instructure/canvas-lms/commit/034cae39cc84ec924b4322cfb5fd7ea0fa89c56b
  Relevant Changesets:




A vulnerability exists within version 0.1.28 of the ruby-saml-mod Ruby gem. This vulnerability could potentially allow for information leakage if the correct set of circumstances were present. This vulnerability is fixed in version 0.1.29 of the Ruby gem.



Fixed in Canvas Cloud as of 6/27/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.