2017-01-11 Instructure Advisory IAC20875 - Arbitrary Collaboration Enrollment

wbillings
Instructure
Instructure
0
914

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-01-11
  Description:

Arbitrary Collaboration Enrollment

  Criticality Level:Highly Critical
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

Restrict collaboration membership by context · instructure/canvas-lms@67491e3b · GitHub


Summary:

During a routine security audit of the Canvas code base and platform, a bug with permission checking for collaboration enrollment was discovered which could allow a teacher or admin to enroll users in a course collaboration that they normally would not have been allowed to be enrolled in. This could lead to a situation which would allow access to basic user information that the teacher or admin might not otherwise have access to.

Status:

All systems were patched as of 15:14 MT on 1/5/2017