GoogleOSV:GHSA-HJP3-5G2Q-7JWWRace Condition leading to logging errors
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
35.1%
In certain setups with threaded web servers, Audited’s use of Thread.current can incorrectly attributed audits to the wrong user.
Fixed in 5.3.3.
In March, @convisoappsec noticed that the library in question had a Race Condition problem, which caused logs to be registered at times with different users than those who performed the genuine actions.
- The first issue we identified was from November 2021: https://github.com/collectiveidea/audited/issues/601
- So the solution was implemented in the following Pull Request: https://github.com/collectiveidea/audited/pull/669
- And the feature was published in version 5.3.3: RELEASE: https://github.com/collectiveidea/audited/pull/671
References
github.com/collectiveidea/audited
github.com/collectiveidea/audited/commit/342734c9396d8f96d3165f1d8531c626139fa4c6
github.com/collectiveidea/audited/issues/601
github.com/collectiveidea/audited/pull/669
github.com/collectiveidea/audited/pull/671
github.com/collectiveidea/audited/security/advisories/GHSA-hjp3-5g2q-7jww
github.com/rubysec/ruby-advisory-db/blob/master/gems/audited/CVE-2024-22047.yml
nvd.nist.gov/vuln/detail/CVE-2024-22047
Related
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
35.1%