GHSA-hjp3-5g2q-7jww

Suggest an improvement
Source
https://github.com/advisories/GHSA-hjp3-5g2q-7jww
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hjp3-5g2q-7jww/GHSA-hjp3-5g2q-7jww.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hjp3-5g2q-7jww
Aliases
Published
2023-05-01T14:00:47Z
Modified
2024-11-29T05:33:31.185735Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Race Condition leading to logging errors
Details

In certain setups with threaded web servers, Audited's use of Thread.current can incorrectly attributed audits to the wrong user.

Fixed in 5.3.3.

In March, @convisoappsec noticed that the library in question had a Race Condition problem, which caused logs to be registered at times with different users than those who performed the genuine actions.

  • The first issue we identified was from November 2021: https://github.com/collectiveidea/audited/issues/601
  • So the solution was implemented in the following Pull Request: https://github.com/collectiveidea/audited/pull/669
  • And the feature was published in version 5.3.3: RELEASE: https://github.com/collectiveidea/audited/pull/671
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-01T14:00:47Z"
}
References

Affected packages

RubyGems / audited

Package

Name
audited
Purl
pkg:gem/audited

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.3.3

Affected versions

4.*

4.0.0
4.2.0
4.2.1
4.2.2
4.3.0
4.4.0
4.4.1
4.5.0
4.6.0
4.7.0
4.7.1
4.8.0
4.9.0
4.10.0

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.2.0
5.3.0
5.3.1
5.3.2