SECURITY UPDATE |  |
| Release Date: | 2017-01-11 |
| Description: | Arbitrary Collaboration Enrollment |
| Criticality Level: | Highly Critical |
| Impact: | Potential Exposure of Sensitive Data |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Internal Audit |
| Relevant Changesets: | Restrict collaboration membership by context · instructure/canvas-lms@67491e3b · GitHub |
Summary:
During a routine security audit of the Canvas code base and platform, a bug with permission checking for collaboration enrollment was discovered which could allow a teacher or admin to enroll users in a course collaboration that they normally would not have been allowed to be enrolled in. This could lead to a situation which would allow access to basic user information that the teacher or admin might not otherwise have access to.
Status:
All systems were patched as of 15:14 MT on 1/5/2017
