Loading...

XML

Word

Printable

Type: Vulnerability
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Acceptance Criteria:
None
Regression:
None
Intelligence Requested:
Market:
PX Impact Score:
Source:
CVEORG
CVE ID:
CVE-2024-45339
CVSS Score:
7.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE ID:
CWE-59
Downstream Component Name:
ocp-vulnerability/vuln4shift-backend
Upstream Affected Component:
github.com/golang/glog
Embargo Status:
False

Severity:
Important

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Security Tracking Issue

Do not make this issue public.

Flaw:

Vulnerability when creating log files in github.com/golang/glog
https://bugzilla.redhat.com/show_bug.cgi?id=2342463

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

~~~

links to

https://github.com/golang/glog/pull/74

https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2

https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs

https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

https://pkg.go.dev/vuln/GO-2025-3372

https://www.cve.org/CVERecord?id=CVE-2024-45339

(1 links to)