GHSA-6wxm-mpqj-6jpf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6wxm-mpqj-6jpf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-6wxm-mpqj-6jpf/GHSA-6wxm-mpqj-6jpf.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6wxm-mpqj-6jpf
- Aliases
- Related
- Published
- 2025-01-28T17:29:03Z
- Modified
- 2025-01-28T20:15:40Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- 4.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Insecure Temporary File usage in github.com/golang/glog
- Details
-
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
- Database specific
{ "nvd_published_at": "2025-01-28T02:15:28Z", "cwe_ids": [ "CWE-377", "CWE-61" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-01-28T17:29:03Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-45339
- https://github.com/golang/glog/pull/74
- https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2
- https://github.com/golang/glog
- https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
- https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
- https://pkg.go.dev/vuln/GO-2025-3372
Affected packages
Go / github.com/golang/glog
Package
- Name
- github.com/golang/glog
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/golang/glog