Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-xhvv-3jww-c487: ActiveAdmin CSV Injection leading to sensitive information disclosure

Impact

In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration.

The attacker would need privileges to upload data to the same ActiveAdmin application as the victim, and would need the victim to possibly ignore security warnings from their spreadsheet program.

Patches

Versions 3.2.0 and above fixed the problem by escaping any data starting with = and other characters used by spreadsheet programs.

Workarounds

Only turn on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file.

References

https://owasp.org/www-community/attacks/CSV_Injection https://github.com/activeadmin/activeadmin/pull/8167

ghsa
#vulnerability#git#rce#ruby

ActiveAdmin CSV Injection leading to sensitive information disclosure

Moderate severity GitHub Reviewed Published Dec 27, 2023 in activeadmin/activeadmin • Updated Dec 28, 2023

Package

bundler activeadmin (RubyGems)

Affected versions

< 3.2.0

Patched versions

3.2.0

Description

Impact

In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration.

The attacker would need privileges to upload data to the same ActiveAdmin application as the victim, and would need the victim to possibly ignore security warnings from their spreadsheet program.

Patches

Versions 3.2.0 and above fixed the problem by escaping any data starting with = and other characters used by spreadsheet programs.

Workarounds

Only turn on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file.

References

https://owasp.org/www-community/attacks/CSV_Injection
activeadmin/activeadmin#8167

References

  • GHSA-xhvv-3jww-c487
  • https://nvd.nist.gov/vuln/detail/CVE-2023-51763
  • activeadmin/activeadmin#8167
  • activeadmin/activeadmin@7af735c
  • https://github.com/activeadmin/activeadmin/releases/tag/v3.2.0
  • https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activeadmin/CVE-2023-51763.yml

deivid-rodriguez published to activeadmin/activeadmin

Dec 27, 2023

Published to the GitHub Advisory Database

Dec 28, 2023

Reviewed

Dec 28, 2023

Last updated

Dec 28, 2023

Severity

Moderate

5.2

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Weaknesses

CWE-1236

CVE ID

CVE-2023-51763

GHSA ID

GHSA-xhvv-3jww-c487

Source code

activeadmin/activeadmin

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

GHSA-rqxc-9p8h-xqgq: ActiveAdmin vulnerable to CSV injection

csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.