|Release Date:||2014-07-24 (Last update can be found below the document title)|
Boundary issues with rubyzip gem
|Criticality Level:||Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
|Systems Affected:||Canvas LMS|
|Discovered By:||Internal audit|
A vulnerability was discovered within the rubyzip gem used by Canvas which could allow an attacker to gain access to the filesystem, directories, files and/or execute arbitrary code via symbolic links.
Fixed in Canvas Cloud as of 7/24/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.