cancel
Showing results for 
Search instead for 
Did you mean: 

2014-06-27 Instructure Advisory IAC00722 - SAML Ruby gem vulnerability

jordan
Community Champion
0 0 382

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-06-27  (Last update can be found below the document title)
  Description:Vulnerability in Ruby's implementation of SAML
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible information leakage and/or unauthorized access
  Systems Affected:CanvasLMS
  Solution Status:Patched
  Discovered By:Vladislav Mladenov, Christian Mainka, Florian Feldmann and Julian Krautwald Horst Görtz Institute for IT-Security,http://www.nds.rub.de/chair/news/RelevantChangesetshttps://github.com/instructure/canvas-lms/commit/...
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/034cae39cc84ec924b4322cfb5fd7ea0fa89c56b


Summary:

A vulnerability exists within version 0.1.28 of the ruby-saml-mod Ruby gem. This vulnerability could potentially allow for information leakage if the correct set of circumstances were present. This vulnerability is fixed in version 0.1.29 of the Ruby gem.

Status:

Fixed in Canvas Cloud as of 6/27/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.


Labels