Skip to content

Race Condition leading to logging errors

Low severity GitHub Reviewed Published Apr 28, 2023 in collectiveidea/audited • Updated Jan 8, 2024

Package

bundler audited (RubyGems)

Affected versions

>= 4.0.0, < 5.3.3

Patched versions

5.3.3

Description

In certain setups with threaded web servers, Audited's use of Thread.current can incorrectly attributed audits to the wrong user.

Fixed in 5.3.3.

In March, @convisoappsec noticed that the library in question had a Race Condition problem, which caused logs to be registered at times with different users than those who performed the genuine actions.

References

@danielmorrison danielmorrison published to collectiveidea/audited Apr 28, 2023
Published to the GitHub Advisory Database May 1, 2023
Reviewed May 1, 2023
Last updated Jan 8, 2024

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Weaknesses

No CWEs

CVE ID

CVE-2024-22047

GHSA ID

GHSA-hjp3-5g2q-7jww

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.