The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December. Read our blog post for more info about this change.
SECURITY UPDATE |  |
| Release Date: | 2012-11-26 (Last update can be found below the document title) |
| Description: | XML Parsing Vulnerability |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched in Canvas Cloud |
| Discovered By: | Securus Global |
| Relevant Changesets: | Canvas: N/A libxml2: http://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f |
Summary:
An XML parsing vulnerability was discovered in libxml, the underlying library that Canvas uses for parsing incoming XML (through the Nokogiri Ruby gem). This vulnerability could allow an attacker to view sensitive system information on the application servers.
Because the bug is in libxml, there is no relevant change in Canvas itself. Users of Canvas CV are encouraged to either upgrade to libxml 2.9 or above, or apply the patch listed above manually and build new libxml packages.
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in