Description: In certain setups with threaded web servers, Audited's use of Thread.current can incorrectly attributed audits to the wrong user. Patches: Fixed in 5.3.3. In March, @convisoappsec noticed that the library in question had a Race Condition problem, which caused logs to be registered at times with different users than those who performed the genuine actions. The first issue we identified was from November 2021: collectiveidea/audited#601 So the solution was implemented in the following Pull Request: collectiveidea/audited#669 And the feature was published in version 5.3.3: RELEASE: collectiveidea/audited#671 References: https://github.com/advisories/GHSA-hjp3-5g2q-7jww https://github.com/collectiveidea/audited/issues/601 https://github.com/collectiveidea/audited/pull/669 https://github.com/collectiveidea/audited/pull/671 https://github.com/collectiveidea/audited/security/advisories/GHSA-hjp3-5g2q-7jww https://vulncheck.com/advisories/vc-advisory-GHSA-hjp3-5g2q-7jww
This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010