2020-08-11 Instructure Advisory IAC32279 - Oembed API Blind SSRF Vulnerability
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
SECURITY UPDATE |
Release Date: | 2020-08-11 |
Description: |
Oembed API Blind SSRF Vulnerability |
Criticality Level: | Medium ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
Impact: |
Unauthenticated Blind SSRF (Server Side Request Forgery) |
Systems Affected: | Canvas LMS |
Solution Status: | Patched |
Discovered By: |
Tenable Security |
Relevant Changesets: |
Require signed token for oembed embedding · instructure/canvas-lms/commit/d225ea1c · GitHub |
Summary:
An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls from end users to query arbitrary hosts. Host responses are not returned to the client.
Status:
Canvas code changes were committed 8/5/2020 to master. This fix is a breaking change set. Canvas is following the regular release process to allow LTI tool owners time to make necessary changes.