SECURITY UPDATE |  |
| Release Date: | 2013-02-11 (Last update can be found below the document title) |
| Description: | Rails Serialized Attribute, attr_protected and JSON Parsing Vulnerabilities |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Manipulation of data Exposure of sensitive information Arbitrary code execution Denial of service |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | N/A |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/5af68ea3fa7153107be6a46334761efb5ac0ff61 https://github.com/instructure/canvas-lms/commit/36fa4321f405d670828056b8e17a683ddc656966 https://github.com/instructure/canvas-lms/commit/851adb150b6550ad439b35d0b1d9afd16dc28c3e |
Summary:
Multiple vulnerabilities were discovered in the Ruby on Rails 2.x library that Canvas uses. Further information is available at https://groups.google.com/forum/#!forum/rubyonrails-security
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patches manually immediately.
CVE:
CVE-2013-0276, CVE-2013-0277, and CVE-2013-0269
