2020-08-11 Instructure Advisory IAC32279 - Oembed API Blind SSRF Vulnerability

mspencer_inst
Instructure
Instructure
0
2945

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date: 2020-08-11
  Description:

Oembed API Blind SSRF Vulnerability

  Criticality Level: Medium   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Unauthenticated Blind SSRF (Server Side Request Forgery)

  Systems Affected: Canvas LMS
  Solution Status: Patched
  Discovered By:

Tenable Security

  Relevant Changesets:

Require signed token for oembed embedding · instructure/canvas-lms/commit/d225ea1c · GitHub 


 

Summary:

An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls from end users to query arbitrary hosts. Host responses are not returned to the client.

Status:

Canvas code changes were committed 8/5/2020 to master. This fix is a breaking change set. Canvas is following the regular release process to allow LTI tool owners time to make necessary changes.

Tags (1)