rubysec · postmodern · Dec 16, 2023 · Dec 16, 2023
diff --git a/gems/activeadmin/CVE-2023-50448.yml b/gems/activeadmin/CVE-2023-50448.yml
@@ -0,0 +1,37 @@
+---
+gem: activeadmin
+cve: 2023-50448
+ghsa: 356j-hg45-x525
+url: https://github.com/activeadmin/activeadmin/security/advisories/GHSA-356j-hg45-x525
+title: Potential CSV export data leak
+date: 2023-12-15
+description: |
+
+  ### Impact
+
+  In ActiveAdmin versions prior to 2.12.0, a concurrency issue was
+  found that could allow a malicious actor to be able to access
+  potentially private data that belongs to another user.
+
+  The bug affects the functionality to export data as CSV files, and
+  was caused by a variable holding the collection to be exported being
+  shared across threads and not properly synchronized.
+
+  The attacker would need access to the same ActiveAdmin application
+  as the victim, and could exploit the issue by timing their request
+  immediately before when they know someone else will request a CSV
+  (e.g. via phishing) or request CSVs frequently and hope someone
+  else makes a concurrent request.
+
+  ### Patches
+
+  Versions 2.12.0 and above fixed the problem by completely
+  removing the shared state.
+cvss_v3: 8.4
+patched_versions:
+  - ">= 2.12.0"
+related:
+  url:
+    - https://github.com/activeadmin/activeadmin/security/advisories/GHSA-356j-hg45-x525
+    - https://github.com/advisories/GHSA-356j-hg45-x525
+notes: "No NVD or mention in repo for this CVE."