2013-02-11 Instructure Advisory IAC52874 - Rails Serialized Attribute, attr_protected and JSON Parsing Vulnerabilities

jordan
Instructure Alumni
Instructure Alumni
‎09-22-2015 01:21 PM
0
464

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2013-02-11  (Last update can be found below the document title)
  Description:Rails Serialized Attribute, attr_protected and JSON Parsing Vulnerabilities
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Manipulation of data

Exposure of sensitive information

Arbitrary code execution

Denial of service

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:N/A
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/5af68ea3fa7153107be6a46334761efb5ac0ff61

https://github.com/instructure/canvas-lms/commit/36fa4321f405d670828056b8e17a683ddc656966

https://github.com/instructure/canvas-lms/commit/851adb150b6550ad439b35d0b1d9afd16dc28c3e

Summary:

Multiple vulnerabilities were discovered in the Ruby on Rails 2.x library that Canvas uses. Further information is available at https://groups.google.com/forum/#!forum/rubyonrails-security

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patches manually immediately.

CVE:

CVE-2013-0276, CVE-2013-0277, and CVE-2013-0269

0 Likes