SECURITY UPDATE |  |
| Release Date: | 2014-07-24 (Last update can be found below the document title) |
| Description: | Boundary issues with rubyzip gem |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Internal audit |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/a6e104a20b0e6da4251cf7ed90b4eecea0937130 |
Summary:
A vulnerability was discovered within the rubyzip gem used by Canvas which could allow an attacker to gain access to the filesystem, directories, files and/or execute arbitrary code via symbolic links.
Status:
Fixed in Canvas Cloud as of 7/24/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
