2014-05-08 Instructure Advisory IAC27818 - SQL Sanitization Vulnerability

jordan
Instructure Alumni
Instructure Alumni
0
787

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-05-08  (Last update can be found below the document title)
  Description:SQL Sanitization Vulnerability
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Manipulation of data
  • Exposure of sensitive information
  • Privilege escalation

Authentication Level: Logged in Canvas admins and instructors

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Instructure Internal Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/1f231d1369a4fbfeac4211524210b87d6e1a669a


Summary:

A security audit has identified a SQL injection attack vector in the course import functionality, available to account admins and instructors.

Status:

A fix has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.