CVE-2023-50448: 
Ruby vulnerability analysis and mitigation

A concurrency issue was discovered in ActiveAdmin (versions prior to 2.12.0) that affects the CSV export functionality. The vulnerability (CVE-2023-50448) was disclosed on December 15, 2023, and allows malicious actors to potentially access private data belonging to other users by making CSV export requests at specific times. The issue stems from a variable holding the collection to be exported being shared across threads without proper synchronization (GitHub Advisory).

The vulnerability is caused by improper thread synchronization in the CSV export functionality where a shared state variable was not properly protected. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) (NVD).

An attacker with access to the same ActiveAdmin application as the victim could exploit this vulnerability to access private data belonging to other users. The attack could be executed either by timing requests immediately before an expected CSV export by another user (potentially through phishing) or by frequently requesting CSVs hoping for concurrent requests from other users (GitHub Advisory).

The vulnerability has been fixed in ActiveAdmin version 2.12.0 by completely removing the shared state that caused the concurrency issue. Users are advised to upgrade to version 2.12.0 or later to address this security concern (GitHub Advisory).