CVE-2024-45339
Aliases:GHSA-6wxm-mpqj-6jpfGO-2025-3372
Advisory lineage Upstream: 0 Downstream: 18
Deferred
Published: 28 Jan 2025, 01:03
Last modified:30 Apr 2026, 03:56
Vulnerability Summary
Overall Risk (default)
medium
28/100 CVSS Score
7.1 HIGH
v3.1 (cve.org)
EPSS Score
0.07% LOW
0% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
28 Jan 2025, 01:03
Published
Vulnerability first disclosed
30 Apr 2026, 03:56
Last Modified
Vulnerability information updated
Description
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
CVSS Metrics
- v4.0•HIGH•Score: 7.2CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
- v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Trends
Current EPSS score: 0.07%• Percentile: 22%
Affected Systems
- github.com/golang/glog•github.com/golang/glog
< 1.2.4
- github.com/golang•glog
< 1.2.4
References (8)
- https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2
- https://github.com/golang/glog/pull/74
- https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
- https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
- https://pkg.go.dev/vuln/GO-2025-3372
- https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-45339
- https://github.com/golang/glog