2014-05-01 Instructure Advisory IAC93442 - User Login Creation
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
SECURITY UPDATE |
Release Date: | 2014-05-01 (Last update can be found below the document title) |
Description: | Cross Account Login Creation |
Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
Impact: | Exposure of Sensitive Data |
Systems Affected: | Canvas LMS |
Solution Status: | Patched |
Discovered By: | Internal Audit |
Relevant Changesets: | fix permission checks around pseudonym creation · instructure/canvas-lms@19d4d95 · GitHub |
Summary:
A bug in permissions checking could allow a malicious user to create logins in accounts that they wouldn't normally be allowed to. This could allow access to basic account information, depending on authentication settings.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.