The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December. Read our blog post for more info about this change.
SECURITY UPDATE |  |
| Release Date: | 2013-02-11 (Last update can be found below the document title) |
| Description: | Rails Serialized Attribute, attr_protected and JSON Parsing Vulnerabilities |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Manipulation of data Exposure of sensitive information Arbitrary code execution Denial of service |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | N/A |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/5af68ea3fa7153107be6a46334761efb5ac0ff61 https://github.com/instructure/canvas-lms/commit/36fa4321f405d670828056b8e17a683ddc656966 https://github.com/instructure/canvas-lms/commit/851adb150b6550ad439b35d0b1d9afd16dc28c3e |
Summary:
Multiple vulnerabilities were discovered in the Ruby on Rails 2.x library that Canvas uses. Further information is available at https://groups.google.com/forum/#!forum/rubyonrails-security
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patches manually immediately.
CVE:
CVE-2013-0276, CVE-2013-0277, and CVE-2013-0269
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in