In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration.
The attacker would need privileges to upload data to the same ActiveAdmin application as the victim, and would need the victim to possibly ignore security warnings from their spreadsheet program.
Patches
Versions 3.2.0 and above fixed the problem by escaping any data starting with = and other characters used by spreadsheet programs.
Workarounds
Only turn on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file.
activeadmin/activeadmin (activeadmin)
### [`v3.2.0`](https://togithub.com/activeadmin/activeadmin/releases/tag/v3.2.0)
[Compare Source](https://togithub.com/activeadmin/activeadmin/compare/v3.1.0...v3.2.0)
#### What's Changed
- Backport provide detail in DB statement timeout error for filters by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8163](https://togithub.com/activeadmin/activeadmin/pull/8163)
- Backport ransack error with filters when ActiveStorage is used by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8164](https://togithub.com/activeadmin/activeadmin/pull/8164)
- Backport support citext column type in string filter by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8165](https://togithub.com/activeadmin/activeadmin/pull/8165)
- Backport make sure menu creation does not modify menu options by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8166](https://togithub.com/activeadmin/activeadmin/pull/8166)
- Backport protect against CSV Injection by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8167](https://togithub.com/activeadmin/activeadmin/pull/8167)
**Full Changelog**: https://github.com/activeadmin/activeadmin/compare/v3.1.0...v3.2.0
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.1.0->3.2.0GitHub Vulnerability Alerts
CVE-2023-51763
Impact
In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration.
The attacker would need privileges to upload data to the same ActiveAdmin application as the victim, and would need the victim to possibly ignore security warnings from their spreadsheet program.
Patches
Versions 3.2.0 and above fixed the problem by escaping any data starting with
=and other characters used by spreadsheet programs.Workarounds
Only turn on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file.
References
https://owasp.org/www-community/attacks/CSV_Injection https://github.com/activeadmin/activeadmin/pull/8167
Release Notes
activeadmin/activeadmin (activeadmin)
### [`v3.2.0`](https://togithub.com/activeadmin/activeadmin/releases/tag/v3.2.0) [Compare Source](https://togithub.com/activeadmin/activeadmin/compare/v3.1.0...v3.2.0) #### What's Changed - Backport provide detail in DB statement timeout error for filters by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8163](https://togithub.com/activeadmin/activeadmin/pull/8163) - Backport ransack error with filters when ActiveStorage is used by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8164](https://togithub.com/activeadmin/activeadmin/pull/8164) - Backport support citext column type in string filter by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8165](https://togithub.com/activeadmin/activeadmin/pull/8165) - Backport make sure menu creation does not modify menu options by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8166](https://togithub.com/activeadmin/activeadmin/pull/8166) - Backport protect against CSV Injection by [@mgrunberg](https://togithub.com/mgrunberg) in [https://github.com/activeadmin/activeadmin/pull/8167](https://togithub.com/activeadmin/activeadmin/pull/8167) **Full Changelog**: https://github.com/activeadmin/activeadmin/compare/v3.1.0...v3.2.0Configuration
📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.