I apologise for using a bug report but the last email I can see on the devel list is from June.
This was fixed between 2.3.3 and 2.4.0 but I've searched the git log, these issues and the devel mailing list and I can't find anything relating to the commit where this was fixed.
The CVE relates to audacity's temp directory having 0777 permissions instead of 0700 which would prevent other users seeing the files.