CVE-2023-51763: 
Ruby vulnerability analysis and mitigation

csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. The vulnerability was discovered and disclosed on December 23, 2023, affecting all versions of ActiveAdmin prior to version 3.2.0 (NVD, MITRE).

The vulnerability exists in the csv_builder.rb component where CSV data was not properly sanitized before being processed. The issue specifically relates to the handling of data that starts with special characters like '=', '+', '-', '@', tab, or carriage return, which could be used to inject malicious formulas into CSV files. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to perform CSV injection attacks, which may lead to formula injection when the CSV file is opened in spreadsheet applications. This could potentially lead to execution of arbitrary code on the victim's system when the CSV file is opened (GitHub PR).

The vulnerability has been fixed in ActiveAdmin version 3.2.0. The fix involves implementing proper sanitization of CSV data by prepending a single quote to any field that starts with potentially dangerous characters. Users are advised to upgrade to version 3.2.0 or later (GitHub Release).