At ClassLink, our commitment to creating a secure digital environment for the educational community is woven into the fabric of our operations. Our pledge to Secure by Design principles is not just a statement; it's a fundamental approach to building and maintaining our software solutions. This dedication is exemplified through our transparent public disclosure of vulnerabilities, a practice we uphold with unwavering commitment.
By participating in this pledge, ClassLink is pledging publicly to the following actions:
ClassLink will make security audit logs available to its customers at no additional charge above the base cost of its software solutions to ensure that tenant administrators have the ability to see and react to security events affecting their production environment.
ClassLink conducts internal and external quarterly vulnerability assessments, and authorizes volunteer testing. Findings are anonymously reported, promptly investigated, and recorded. Remediation priorities are set based on threat levels. Vulnerabilities unresolved after 90 days are continuously monitored.
ClassLink publicly discloses any mitigated vulnerabilities, including the disclosure of Common Vulnerabilities and Exposures (CVE). Each CVE entry will feature a Common Weakness Enumeration (CWE) field, providing insights into the root cause of the vulnerability for enhanced understanding and transparency.
ClassLink analyzes diverse security data, including MFA adoption, DDoS incidents, breaches, downtime, policy violations, and more. Calculated statistics are published on a public webpage for transparency.
CWE-79, CWE-80
An XSS vulnerability was discovered in the CMC. An attacker with TA permissions could inject custom Javascript into frontend applications.
No effect on production environment.
Affected Services:
CWE-235
The application accepted multiple redirect URLs in the parameter, and if sent in a certain order, would result in an open redirect in the OAuth2 flow.
An authoirzation code leak can lead to account takeover.
Affected Services:
CWE-601, CWE-20
A specially crafted URL could evade the validator for the OAuth callback and causes the application to accept non-ClassLink domains.
An authoirzation code leak can lead to account takeover.
Affected Services:
CWE-79, CWE-80
An XSS vulnerability was discovered when editing the name of a SAML Connection. An attacker with TA permissions could inject custom Javascript into frontend applications.
No effect on production environment.
Affected Services:
CWE-918
The metadata url field did not filter for non-routable IP addresses and would cause the application to send requests to internal infrastructure.
Could send requests to internal services.
Affected Services:
CWE-16
Some DNS records lingered which pointed to IP addresses no longer in use. This allows an attacker to host their own applications using a oneroster.com domain.
No effect on production environment.
Affected Services:
CWE-346
It was possible to bypass a building's wallpaper restrictions and use any image as a wallpaper even if custom images were not allowed. Uploading a custom avatar picture generated a temporary URL on the same CDN as approved wallpapers and it would be accepted.
Defacement
Affected Services:
CWE-89
A vulnerability was discovered in the ClassLink Management Console which would cause a database error if certain SQL metacharacters were sent. This endpoint requires an account with TA permissions to access and did not reveal contents of the database.
Database errors due to malformed SQL statements.
Affected Services:
CWE-601
QuickCard Login page accepts a "Custom URL" parameter which is usually returning to a district's Login homepage. However arbitrary URLs are allowed. If a user clicks "Return to Login Page" they would be redirected to whatever site is in the custom url parameter.
No effect on production environment
Affected Services:
CWE-16
Help Article has examples on how to access Classlink service progrmatically with various languages. The Ruby example was set to not verify certificate chains which could open up applications to MITM attacks.
No effect on production environment
Affected Services:
CWE-918
It was possible to inject arbitrary Host headers which would be processed by the proxy, leading to SSRF.
SSRF could access internal resources (e.g., AWS metadata configuration) for the instance
Affected Services:
CWE-863
Certain GET Endpoints would improperly respond to session cookies given to non TA users instead of returning 403 Forbidden.
Could leak Tenant metadata (no roster data or PII could be leaked)
Affected Services:
CWE-601
OAuth Login endpoints would accept callback URLs with an HTTP:// scheme. Only Classlink domains are valid redirect URLs however an attacker positioned in an MITM attack could redirect to a ClassLink domain with an HTTP:// scheme and leak the authorization code.
An authorization code leak can lead to account takeover.
Affected Services:
CWE-552
Database Schemas and SQL scripts for two SIS systems were publicly available on an S3 bucket. These were not schemas for Classlink databases.
No effect on production environment
Affected Services:
CWE-20
Checks were in place on the client-side to ensure secret answers met minimum length requirements. However these same checks were not performed on the backend.
No effect on production environment
Affected Services:
CWE-200
An Amazon S3 bucket with bash scripts for the internal CI/CD pipeline was publicly readable on the internet.
One script contained a username and password for a beanstalkapp service account, which could affect the CI/CD pipeline for projects on beanstalkapp. The service account has been decommissioned.
Affected Services:
CWE-200
Passwords for LaunchPad applications could be leaked from the App Passwords window when viewing the HTML source directly.
No effect on production environment; certain apps that require passwords could have the password leaked.
Affected Services:
CWE-840, CWE-266
A ClassLink Administrator could create another administrator profile within the CMC.
Creating another admin profile could confuse a ClassLink Administrator and make auditing admin actions more difficult.
Affected Services:
CWE-613
Bearer tokens used to authenticate a user to Roster Server would not expire.
A token that does not expire could be stolen by an attacker and utilized in a replay attack.
Affected Services:
CWE-918
The Test Auth feature on the File Exports page accepts internal IP addresses (e.g., 10.0.0.0/8) or hostnames and a port number and tests connectivity to the system. The server responses reveal whether an IP/Port combination is active.
An attacker with Tenant Administrator (TA) credentials could port scan servers on an internal network during the reconnaissance phase of an attack to develop a network diagram.
Affected Services:
CWE-122, CWE-1395
nginx versions from 0.6.8 - 1.20.0 are vulnerable to Heap Overflow if using the nginx DNS resolver and sending queries to an attacker-controlled DNS server. ClassLink reviewed the system configuration and confirmed it is not using the nginx DNS resolver and is not exploitable. However, the newest versions of AL2 and AL2023 use the most recent patched nginx version, and all instances have been updated.
ClassLink reviewed the system configuration and confirmed cloud instances used the system's default DNS resolver and not the nginx resolver. There was no effect on the production environment.
Affected Services:
CWE-79, CWE-80
When creating a new connection on the SAML Console page, the Name attribute was not being sanitized for JavaScript and HTML attributes. Upon saving, this would trigger custom JavaScript whenever the SAML Console page was opened.
No effect on production environment
Affected Services:
CWE-79, CWE-80
The Public Portal validator was not checking for HTML event handlers or JavaScript, which could be directly injected into an intercepted HTTP request. A ClassLink Administrator could intercept and modify their request to edit the Public Portal and include custom JavaScript, which would be executed on the Public Portal.
No effect on production environment
Affected Services:
CWE-79, CWE-80
The title and message body of the Acceptable Use Policy (AUP) were not being sanitized for JavaScript and HTML attributes.
No effect on production environment
Affected Services:
CWE-284
It is possible to manipulate the folder_id parameter requests to My Files to look up other arbitrary folder IDs. The server would return information, like the name of the folder and the names of files within it. However, it was not possible to download files the user did not have permission to access.
Metadata of files and folders within My Files could be leaked, specifically the names of folders and files.
Affected Services:
CWE-79, CWE-80
When editing or creating a new user via the Edit Users slide-over on the Users page, the First Name, Last Name, and Display Name value fields were not being sanitized for JavaScript and HTML attributes. After saving a user, JavaScript would trigger when viewing the dashboard.
No effect on production environment
Affected Services:
CWE-79, CWE-80
When previewing a notification in the Notifications Module (Beta), the preview window was not sanitizing the notification's title or body for cross-site scripting (XSS), which allows custom JavaScript. XSS filtering occurs on the dashboard and other notification windows, but it needs to be extended to the preview window, as well.
No effect on production environment
Affected Services:
CWE-79, CWE-80
On the Groups page, the Wallpaper and Group Name fields were not sanitized for cross-site scripting (XSS) before reflecting the input into HTML. This allowed custom JavaScript to be injected into both parameters. When editing a group, custom JavaScript was triggered when the slide-over opened.
No effect on production environment
Affected Services:
CWE-79, CWE-80
Certain HTML attributes were not sanitized in the notification body, which can lead to custom JavaScript injection (XSS).
No effect on production environment
Affected Services:
CWE-840
A flaw in validation logic allowed the ClassLink OneClick Extension to run on non-ClassLink domains.
No effect on production environment
Affected Services:
CWE-22
The Append Files option in the Roster Server Preprocessor allowed user-supplied input to create a path to retrieve files outside the DailyImport and SIS Import folders, but it did not properly strip path symbols (e.g., ../). The backend automatically appends a comma-separated value (CSV) file extension to the filename, which limits what files can be targeted. It was not possible to download arbitrary files via this endpoint.
There was no impact on production systems with only this exploit. While it is possible to reach arbitrary files with directory traversal, it is limited to CSV files and would require a Roster Server sync to read the file. These files can't be directly downloaded from the server.
Affected Services:
CWE-22
When exporting logs from Roster Server, the filename parameter was not being stripped of path characters. This allowed for directory traversal outside the log directory. The OneRoster®/Roster Server user does not run as root.
Directory traversal on the Amazon Web Services (AWS)-hosted Roster Server instances can reveal files outside the Roster Server log directory.
Affected Services:
CWE-79, CWE-80
HTML is accepted for values (e.g., Display Name, First Name, Last Name) in the Edit User slide-over on the Users page. However, certain HTML attributes were not sanitized before being injected into the slide-over, triggering custom JavaScript.
No effect on production environment
Affected Services:
