CVE-2024-45339 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-45339

CVE-2024-45339

January 28, 2025

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Related Resources (8)

https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2

https://pkg.go.dev/vuln/GO-2025-3372

https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

https://github.com/golang/glog

https://github.com/golang/glog/pull/74

https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html

https://nvd.nist.gov/vuln/detail/CVE-2024-45339

https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs

Do you need more information?

CVSS v4

Base Score:

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

UNREPORTED

CVSS v3

Base Score:

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

Insecure Temporary File

CWE-377

UNIX Symbolic Link (Symlink) Following

CWE-61

EPSS

Base Score:

0.03

Products

Solutions

Resources

Company

Compare

Developer Tools