2014-10-13 Instructure Advisory IAC12920 - Path Traversal Vulnerability

Document created by jordan@instructure.com on Sep 22, 2015Last modified by scottd@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-10-13  (Last update can be found below the document title)
  Description:A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible unauthorized access to files readable by the parent process.
  Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Potential unauthorized disclosure of information
  • Potential unauthorized file system access
  Systems Affected:Canvas LMS
  Solution Status:Remediated
  Discovered By:Issue was reported by Nabeel Ahmed
  Relevant Changesets:

N/A


 

Summary:

                  A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible unauthorized access                   to files readable by the parent process.

                  Once the vulnerability was reported and validated, steps were immediately taken to address the vulnerability. Furthermore, a full impact analysis was                   performed to determine if the vulnerability had been exploited.

                  The Instructure InfoSec team found no evidence of an exploit.

 

Status:

All vulnerable systems were patched against the vulnerability on the same day it was reported.

 

 


Attachments

    Outcomes