SECURITY UPDATE |  |
| Release Date: | 2013-01-28 (Last update can be found below the document title) |
| Description: | Code Injection Attack in Rails Library |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Manipulation of data Exposure of sensitive information |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | N/A |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/90378ae9b51b8acf0be690bca61f5f1454f3e0fe |
Summary:
A JSON parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Further information is available at https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.
CVE:
CVE-2013-0333
