Insecure Temporary File usage in github.com/golang/glog

Overview

Source
ID
GHSA-6wxm-mpqj-6jpf
Aliases
CVE-2024-45339
GO-2025-3372
Affected package

Description

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Impact

Severity
Latest version of the CVSS score reported by the source of the advisory.
7.1 MODERATE
Reference links

Summary

19.51k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
2.27k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
1.45%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
github.com/golang/glog
Affected Version: Introduced: 0, Fixed: 1.2.4
Patched/Unaffected
v1.2.4
Affected
v1.2.4-0.19700101000000-a0e3c40a0ed0
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.2
v1.1.1
v1.1.1-0.20230317133409-c0f9e3d764d3
v1.1.0
v1.0.0
v0.0.0-20210429001901-424d2337a529
v0.0.0-20160126235308-23def4e6c14b
v0.0.0-20150731225221-fca8c8854093
v0.0.0-20141105023935-44145f04b68c