2017-01-11 Instructure Advisory IAC20875 - Arbitrary Collaboration Enrollment

Document created by Wade Billings Employee on Jan 11, 2017Last modified by Wade Billings Employee on Jan 11, 2017
Version 5Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2017-01-11

Arbitrary Collaboration Enrollment

  Criticality Level:Highly Critical
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

Restrict collaboration membership by context · instructure/canvas-lms@67491e3b · GitHub



During a routine security audit of the Canvas code base and platform, a bug with permission checking for collaboration enrollment was discovered which could allow a teacher or admin to enroll users in a course collaboration that they normally would not have been allowed to be enrolled in. This could lead to a situation which would allow access to basic user information that the teacher or admin might not otherwise have access to.



All systems were patched as of 15:14 MT on 1/5/2017