3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-22047

GHSA ID

GHSA-hjp3-5g2q-7jww

EPSS Score

0.76876%

CWE

Published

5/1/2023

Updated

1/8/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-22047

CVE-2024-22047:
Race Condition leading to logging errors

In certain setups with threaded web servers, Audited's use of Thread.current can incorrectly attributed audits to the wrong user.

Fixed in 5.3.3.

In March, @convisoappsec noticed that the library in question had a Race Condition problem, which caused logs to be registered at times with different users than those who performed the genuine actions.

The first issue we identified was from November 2021: https://github.com/collectiveidea/audited/issues/601
So the solution was implemented in the following Pull Request: https://github.com/collectiveidea/audited/pull/669
And the feature was published in version 5.3.3: RELEASE: https://github.com/collectiveidea/audited/pull/671

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-22047

GHSA ID

GHSA-hjp3-5g2q-7jww

EPSS Score

0.76876%

CWE

Published

5/1/2023

Updated

1/8/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
audited	rubygems	>= 4.0.0, < 5.3.3	5.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using thread-local storage (Thread.current) for audit context in the store method. The commit diff shows this was replaced with RequestStore (designed for per-request thread isolation). The original implementation's direct use of Thread.current.thread_variable_get/Set without proper synchronization created race conditions in multi-threaded environments, as confirmed by the advisory's description of audits being attributed to wrong users. The test case removal involving Fibers further demonstrates concurrency-related flaws in the original implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **rt*in s*tups wit* t*r***** w** s*rv*rs, *u*it**'s us* o* `T*r***.*urr*nt` **n in*orr**tly *ttri*ut** *u*its to t** wron* us*r. *ix** in *.*.*. In M*r**, @*onviso*pps** noti*** t**t t** li*r*ry in qu*stion *** * R*** *on*ition pro*l*m, w*i**

Reasoning

T** vuln*r**ility st*ms *rom usin* t*r***-lo**l stor*** (T*r***.*urr*nt) *or *u*it *ont*xt in t** stor* m*t*o*. T** *ommit *i** s*ows t*is w*s r*pl**** wit* R*qu*stStor* (**si*n** *or p*r-r*qu*st t*r*** isol*tion). T** ori*in*l impl*m*nt*tion's *ir**

3.1

Basic Information

Concerned about an active attack path?

CVE-2024-22047: Race Condition leading to logging errors

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-22047:
Race Condition leading to logging errors

Vulnerability Intelligence
Miggo AI