After an outage on September 1, the Instructure Community is now fully available, including guides, release notes, forums, and groups. If some styling still looks unusual, clear your cache and cookies.
SECURITY UPDATE |  |
| Release Date: | 2017-02-13 |
| Description: | XXE Vulnerability in Quizzes QTI Upload |
| Criticality Level: | Critical |
| Impact: | Potential read only access to underlying filesystem |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Unnamed BugCrowd Security Researcher as part of an annual vulnerability assessment |
| Relevant Changesets: | don't resolve entities in xml · instructure/QTIMigrationTool@729a35313c · GitHub |
Summary:
An external security audit discovered a vulnerability in the QTI Migration tool which is used in converting QTI version 1.x data into QTI 2.0 content packages. The vulnerability allowed read only access to the underlying filesystem. This means that a potential attacker could read files from various system level directories where configuration and system user details are stored.
An internal forensic investigation found no evidence that the vulnerability, which has existed on the system for some time, has been exploited during the time it was present on the system.
Status:
All systems were patched as of 13:21 MT on 2/3/2017
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in