The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December. Read our blog post for more info about this change.
SECURITY UPDATE |  |
| Release Date: | 2012-06-13 (Last update can be found below the document title) |
| Description: | SQL Injection Attack in Rails Library |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | - |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/6ade80562cd3cbfa804a7ebb06417c5b92c902cf |
Summary:
A SQL Injection Vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
More information is available at http://seclists.org/oss-sec/2012/q2/504 .
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in