RubySecRUBY:AUDITED-2024-22047Race Condition leading to logging errors
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
In certain setups with threaded web servers, Audited’s use of
Thread.current can incorrectly attributed audits to the wrong user.
Fixed in 5.3.3.
In March, @convisoappsec noticed that the library in question had a
Race Condition problem, which caused logs to be registered at times
with different users than those who performed the genuine actions.
-
The first issue we identified was from November
2021: https://github.com/collectiveidea/audited/issues/601 -
So the solution was implemented in the following Pull Request:
https://github.com/collectiveidea/audited/pull/669 -
And the feature was published in version 5.3.3:
RELEASE: https://github.com/collectiveidea/audited/pull/671
Affected configurations
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low