CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
In certain setups with threaded web servers, Audited’s use of
Thread.current
can incorrectly attributed audits to the wrong user.
Fixed in 5.3.3.
In March, @convisoappsec noticed that the library in question had a
Race Condition problem, which caused logs to be registered at times
with different users than those who performed the genuine actions.
The first issue we identified was from November
2021: https://github.com/collectiveidea/audited/issues/601
So the solution was implemented in the following Pull Request:
https://github.com/collectiveidea/audited/pull/669
And the feature was published in version 5.3.3:
RELEASE: https://github.com/collectiveidea/audited/pull/671