Vulnerability when creating log files in github.com/golang/glog

Overview

Source

ID

GO-2025-3372

Aliases

CVE-2024-45339

GHSA-6wxm-mpqj-6jpf

Affected package

github.com/golang/glog

Description

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Impact

Reference links

https://github.com/golang/glog/pull/74

https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2

https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs

https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

https://vuln.go.dev/ID/GO-2025-3372.json

Summary

19.51k

Total packages affected

Packages with at least one version that is affected by the advisory or has an affected dependency.

2.27k

Packages with a known fix

Packages with versions affected by the advisory that have a greater version that is not affected.

1.45%

Total ecosystem affected

The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).

github.com/golang/glog

Affected Version: Introduced: 0, Fixed: 1.2.4

Patched/Unaffected

January 13, 2025

Affected

v1.2.4-0.19700101000000-a0e3c40a0ed0

November 5, 2024

July 25, 2024

April 4, 2024

November 22, 2023

August 9, 2023

March 25, 2023

v1.1.1-0.20230317133409-c0f9e3d764d3

March 17, 2023

March 8, 2023

November 2, 2021

v0.0.0-20210429001901-424d2337a529

June 17, 2021

v0.0.0-20160126235308-23def4e6c14b

April 10, 2019

v0.0.0-20150731225221-fca8c8854093

April 23, 2019

v0.0.0-20141105023935-44145f04b68c

April 25, 2019

This site uses cookies from Google to deliver its services and to analyze traffic.