Symbolic Link Vulnerability in glog Affected by GoLang
CVE-2024-45339

7.1HIGH

Key Information:

Vendor: Github.com/golang/glog
Status: Github.com/golang/glog
Vendor: CVE Published:; 28 January 2025

🔔 Create Github.com/golang/glog Vulnerability Alert

What is CVE-2024-45339?

A security vulnerability exists in the glog logging library, allowing an unprivileged attacker to exploit the default behavior of writing logs to a widely-writable directory. By predicting the log file path of a privileged process, the attacker can create a symbolic link that redirects log entries to a sensitive file. When the privileged process executes and attempts to write to its log, it inadvertently overwrites the sensitive file, compromising data integrity. To mitigate this issue, recent updates to glog ensure that the program will terminate with an error when it detects that the configured log file already exists.

Affected Version(s)

github.com/golang/glog 0 < 1.2.4

References

https://github.com/golang/glog/pull/74/commits/b8741656e4...

https://github.com/golang/glog/pull/74

https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Aug 27, 2024

Credit

Josh McSavaney

Günther Noack