CVE-2024-45339

High

Published: 28 January 2025

Published

28 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0007 21.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45339 is a high-severity an unspecified weakness vulnerability in Owasp (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-4 Information in Shared System Resources good match

prevent

Prevents unauthorized and unintended information transfer via shared system resources, directly addressing symlink race conditions in widely writable log directories.

AU-9 Protection of Audit Information good match

prevent

Protects audit information and logging tools from unauthorized modification and deletion by enforcing strict access controls on log files and directories.

CM-6 Configuration Settings good match

prevent

Establishes and enforces secure configuration settings for logging paths to avoid world-writable directories exploited in the symlink attack.

NVD Description

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will…

follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Deeper analysisAI

CVE-2024-45339 is a vulnerability in glog, a logging library for Go programs originally developed by Google. In its default configuration, glog writes logs to a widely writable directory, enabling a symlink race condition. An attacker can predict the log file path used by a privileged process and pre-create a symbolic link pointing to a sensitive file. When the privileged process attempts to write logs, it follows the symlink and overwrites the target sensitive file.

The attack requires local access with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N), as indicated by the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). An unprivileged local attacker can exploit this to achieve high confidentiality and integrity impacts by overwriting arbitrary sensitive files owned by the privileged process, potentially leading to data corruption or exposure.

The patch, detailed in glog pull request #74 (commit b8741656e406e66d6992bc2c9575e460ecaa0ec2), modifies glog to exit with status code 2 if the configured log file already exists, preventing the symlink follow. This fix is announced in the Go vulnerability database (GO-2025-3372) and golang-announce group, with related guidance on insecure temporary file handling from OWASP.

Details

CWE(s): None listed

Affected Products

Owasp

—

inferred from references and description; NVD did not file a CPE for this CVE

References

https://github.com/golang/glog/pull/74
security@golang.org
https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2
security@golang.org
https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs
security@golang.org
https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
security@golang.org
https://pkg.go.dev/vuln/GO-2025-3372
security@golang.org
https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html
af854a3a-2127-422b-91ae-364da2661108