-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-22047.yml
38 lines (33 loc) · 1.38 KB
/
CVE-2024-22047.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
---
gem: audited
cve: 2024-22047
ghsa: hjp3-5g2q-7jww
url: https://github.com/collectiveidea/audited/security/advisories/GHSA-hjp3-5g2q-7jww
title: Race Condition leading to logging errors
date: 2023-05-01
description: |
In certain setups with threaded web servers, Audited's use of
`Thread.current` can incorrectly attributed audits to the wrong user.
Fixed in 5.3.3.
In March, @convisoappsec noticed that the library in question had a
Race Condition problem, which caused logs to be registered at times
with different users than those who performed the genuine actions.
- The first issue we identified was from November
2021: https://github.com/collectiveidea/audited/issues/601
- So the solution was implemented in the following Pull Request:
https://github.com/collectiveidea/audited/pull/669
- And the feature was published in version 5.3.3:
RELEASE: https://github.com/collectiveidea/audited/pull/671
cvss_v3: 3.1
unaffected_versions:
- "< 4.0.0"
patched_versions:
- ">= 5.3.3"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-22047
- https://github.com/collectiveidea/audited/security/advisories/GHSA-hjp3-5g2q-7jww
- https://github.com/collectiveidea/audited/issues/601
- https://github.com/collectiveidea/audited/pull/669
- https://github.com/collectiveidea/audited/pull/671
- https://github.com/advisories/GHSA-hjp3-5g2q-7jww