Your Community is getting an upgrade!
Read about our partnership with Higher Logic and how we will build the next generation of the Instructure Community.
SECURITY UPDATE |
Release Date: | 2020-08-11 |
Description: |
Oembed API Blind SSRF Vulnerability |
Criticality Level: | Medium ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
Impact: |
Unauthenticated Blind SSRF (Server Side Request Forgery) |
Systems Affected: | Canvas LMS |
Solution Status: | Patched |
Discovered By: |
Tenable Security |
Relevant Changesets: |
Require signed token for oembed embedding · instructure/canvas-lms/commit/d225ea1c · GitHub |
Summary:
An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls from end users to query arbitrary hosts. Host responses are not returned to the client.
Status:
Canvas code changes were committed 8/5/2020 to master. This fix is a breaking change set. Canvas is following the regular release process to allow LTI tool owners time to make necessary changes.
An amazing Instructure Community member!
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign InTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign In