CVE-2024-22047

Name of the Vulnerable Software and Affected Versions Audited versions 4.0.0 through 5.3.3

Description A race condition exists in Audited that can result in an authenticated user causing audit log entries to be attributed to another user. This issue is related to Audited's use of Thread.current in certain setups with threaded web servers, which can incorrectly attribute audits to the wrong user. The problem was first identified in November 2021 and a solution was implemented in a pull request, with the fix being published in version 5.3.3.

Recommendations For Audited versions 4.0.0 through 5.3.3, update to version 5.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to threaded web server setups to minimize the risk of exploitation.