CVE-2023-50448

Name of the Vulnerable Software and Affected Versions ActiveAdmin versions prior to 2.12.0

Description A concurrency issue in ActiveAdmin allows a malicious actor to access potentially private data belonging to another user by making CSV export requests at specific times. The issue is caused by a shared variable holding the collection to be exported, which is not properly synchronized across threads. An attacker would need access to the same ActiveAdmin application as the victim and could exploit the issue by timing their request or requesting CSVs frequently.

Recommendations For versions prior to 2.12.0, update to version 2.12.0 or above to fix the concurrency issue. As a temporary workaround, consider restricting access to the CSV export functionality to minimize the risk of exploitation.