From ea77db5f340b81b98323d5f7aac915e574c97a90 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 16 Dec 2023 08:54:14 -0500 Subject: [PATCH] GHSA Sync: 1 brand new advisory --- gems/activeadmin/CVE-2023-50448.yml | 37 +++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 gems/activeadmin/CVE-2023-50448.yml diff --git a/gems/activeadmin/CVE-2023-50448.yml b/gems/activeadmin/CVE-2023-50448.yml new file mode 100644 index 0000000000..e8bce14244 --- /dev/null +++ b/gems/activeadmin/CVE-2023-50448.yml @@ -0,0 +1,37 @@ +--- +gem: activeadmin +cve: 2023-50448 +ghsa: 356j-hg45-x525 +url: https://github.com/activeadmin/activeadmin/security/advisories/GHSA-356j-hg45-x525 +title: Potential CSV export data leak +date: 2023-12-15 +description: | + + ### Impact + + In ActiveAdmin versions prior to 2.12.0, a concurrency issue was + found that could allow a malicious actor to be able to access + potentially private data that belongs to another user. + + The bug affects the functionality to export data as CSV files, and + was caused by a variable holding the collection to be exported being + shared across threads and not properly synchronized. + + The attacker would need access to the same ActiveAdmin application + as the victim, and could exploit the issue by timing their request + immediately before when they know someone else will request a CSV + (e.g. via phishing) or request CSVs frequently and hope someone + else makes a concurrent request. + + ### Patches + + Versions 2.12.0 and above fixed the problem by completely + removing the shared state. +cvss_v3: 8.4 +patched_versions: + - ">= 2.12.0" +related: + url: + - https://github.com/activeadmin/activeadmin/security/advisories/GHSA-356j-hg45-x525 + - https://github.com/advisories/GHSA-356j-hg45-x525 +notes: "No NVD or mention in repo for this CVE."